Validating untrusted objects and entities

ABSTRACT

This invention is a validation method for determining whether an untrusted chip is valid, or not. In another aspect it concerns a validation system for the method. The method may be used to determine the physical presence of a valid chip. A trusted chip generates a random number and a digital signature for it, encrypts them with a first key and then calls a prove function in the untrusted chip. The prove function decrypts the random number and signature, and calculates another signature from the decrypted random number, for comparison with the decrypted one. If the comparison is successful the random number is encrypted with another key and sent back as a second number. Finally, a test function is called in the trusted chip to generate its own encrypted version of the random number using the second key and then compare it with the received version to validate the untrusted chip. The untrusted chip may be associated with a consumable so that validation of the untrusted chip authenticates the consumable.

TECHNICAL FIELD

[0001] This invention concerns a validation protocol for determiningwhether an untrusted authentication chip is valid, or not. In anotheraspect it concerns a validation system for the protocol. The protocolmay be used to determine the physical presence of a valid authenticationchip. The untrusted chip may be associated with a consumable so thatvalidation of the untrusted chip authenticates the consumable.

BACKGROUND ART

[0002] 1 Introduction

[0003] Manufacturers of systems that require consumables, such as alaser printer that requires toner cartridges, have struggled with theproblem of authenticating consumables, to varying levels of success.Most have resorted to specialized packaging. However this does not stophome refill operations or clone manufacture. The prevention of copyingis important for two reasons:

[0004] To protect revenues

[0005] To prevent poorly manufactured substitute consumables fromdamaging the base system. For example, poorly filtered ink may clogprint nozzles in an ink jet printer.

[0006] 2 Scope

[0007] Authentication is an extremely large and constantly growingfield. This invention is concerned with authenticating consumables. Inmost cases, there is no reason to prohibit the use of consumables in athird party product.

[0008] The invention concerns an authentication chip that contains anauthentication code and circuit specially designed to prevent copying.The chip is manufactured using the standard Flash memory manufacturingprocess, and is low cost enough to be included in consumables such asink and toner cartridges.

[0009] Once programmed, the authentication chips are compliant with theNSA export guidelines since they do not constitute an encryption device.They can therefore be practically manufactured in the USA (and exported)or anywhere else in the world.

[0010] 3 Concepts and Terms

[0011] This part discusses terms and concepts that are referred tothroughout the remainder of the document.

[0012] 3.1 Symbolic Nomenclature

[0013] The following symbolic nomenclature is used throughout thisdocument: TABLE 1 Summary of Symbolic Nomenclature Symbol DescriptionF[X] Function F, taking a single parameter X F[X, Y] Function F, takingtwo parameters, X and Y X | Y X concatenated with Y X

Y Bitwise X AND Y X

Y Bitwise X OR Y (inclusive-OR) X ⊕ Y Bitwise X XOR Y (exclusive-OR)

X Bitwise NOT X (complement) X

Y X is assigned the value Y X

{Y, Z} The domain of assignment inputs to X is Y and Z X = Y X is equalto Y X ≠ Y X is not equal to Y

X Decrement X by 1 (floor 0)

X Increment X by 1 (modulo register length) Erase X Erase Flash memoryregister X SetBits[X, Y] Set the bits of the Flash memory register Xbased on Y Z

ShiftRight[X, Y] Shift register X right one bit position, taking inputbit from Y and placing the output bit in Z

[0014] 3.2 Basic Terms

[0015] A message, denoted by M, is plaintext. The process oftransforming M into ciphertext C, where the substance of M is hidden, iscalled encryption. The process of transforming C back into M is calleddecryption. Referring to the encryption function as E, and thedecryption function as D, we have the following identities:

[0016] E[M]=C

[0017] D[C]=M

[0018] Therefore the following identity is true: D[E[M]]=M

[0019] 3.3 Symmetric Cryptography

[0020] A symmetric encryption algorithm is one where:

[0021] the encryption function E relies on key K₁,

[0022] the decryption function D relies on key K₂,

[0023] K₂ can be derived from K₁, and

[0024] K₁ can be derived from K₂.

[0025] In most symmetric algorithms, K₁ equals K₂. However, even if K₁does not equal K₂, given that one key can be derived from the other, asingle key K can suffice for the mathematical definition. Thus:

[0026] E_(K)[M]=C

[0027] D_(K)[C]=M

[0028] The security of these algorithms rests very much in the key K.Knowledge of K allows anyone to encrypt or decrypt. Consequently K mustremain a secret for the duration of the value of M. For example, M maybe a wartime message “My current position is grid position 123-456 ”.Once the war is over the value of M is greatly reduced, and if K is madepublic, the knowledge of the combat unit's position may be of norelevance whatsoever. Of course if it is politically sensitive for thecombat unit's position to be known even after the war, K may have toremain secret for a very long time.

[0029] An enormous variety of symmetric algorithms exist, from thetextbooks of ancient history through to sophisticated modem algorithms.Many of these are insecure, in that modern cryptanalysis techniques (seeSection 3.8) can successfully attack the algorithm to the extent that Kcan be derived.

[0030] The security of the particular symmetric algorithm is a functionof two things: the strength of the algorithm and the length of the key[78].

[0031] The strength of an algorithm is difficult to quantify, relying onits resistance to cryptographic attacks (see Section 3.8). In addition,the longer that an algorithm has remained in the public eye, and yetremained unbroken in the midst of intense scrutiny, the more secure thealgorithm is likely to be. By contrast, a secret algorithm that has notbeen scrutinized by cryptographic experts is unlikely to be secure.

[0032] Even if the algorithm is “perfectly” strong (the only way tobreak it is to try every key —see Section 3.8.1.5), eventually the rightkey will be found. However, the more keys there are, the more keys haveto be tried. If there are N keys, it will take a maximum of N tries. Ifthe key is N bits long, it will take a maximum of 2^(N) tries, with a50% chance of finding the key after only half the attempts (2^(N−1)).The longer N becomes, the longer it will take to find the key, and hencethe more secure it is. What makes a good key length depends on the valueof the secret and the time for which the secret must remain secret aswell as available computing resources.

[0033] In 1996, an ad hoc group of world-renowned cryptographers andcomputer scientists released a report [9] describing minimal key lengthsfor symmetric ciphers to provide adequate commercial security. Theysuggest an absolute minimum key length of 90 bits in order to protectdata for 20 years, and stress that increasingly, as cryptosystemssuccumb to smarter attacks than brute-force key search, even more bitsmay be required to account for future surprises in cryptanalysistechniques.

[0034] We will ignore most historical symmetric algorithms on thegrounds that they are insecure, especially given modem computingtechnology. Instead, we will discuss the following algorithms:

[0035] DES

[0036] Blowfish

[0037] RC5

[0038] IDEA

[0039] 3.3.1 DES

[0040] DES (Data Encryption Standard) [26] is a US and internationalstandard, where the same key is used to encrypt and decrypt. The keylength is 56 bits. It has been implemented in hardware and software,although the original design was for hardware only. The originalalgorithm used in DES was patented in 1976 (U.S. Pat. No. 3,962,539) andhas since expired.

[0041] During the design of DES, the NSA (National Security Agency)provided secret S-boxes to perform the key-dependent nonlineartransformations of the data block. After differential cryptanalysis wasdiscovered outside the NSA, it was revealed that the DES S-boxes werespecifically designed to be resistant to differential cryptanalysis.

[0042] As described in [92], using 1993 technology, a 56-bit DES key canbe recovered by a custom-designed $1 million machine performing a bruteforce attack in only 35 minutes. For $10 million, the key can berecovered in only 3.5 minutes. DES is clearly not secure now, and willbecome less so in the future.

[0043] A variant of DES, called triple-DES is more secure, but requires3 keys: K₁, K₂, and K₃. The keys are used in the following manner:

[0044] E_(K3)[D_(K2)[E_(K1)[M]]]=C

[0045] D_(K3)[E_(K2)[D_(K1)[C]]]=M

[0046] The main advantage of triple-DES is that existing DESimplementations can be used to give more security than single key DES.Specifically, triple-DES gives protection of equivalent key length of112 bits [78]. Triple-DES does not give the equivalent protection of a168-bit key (3×56) as one might naively expect.

[0047] Equipment that performs triple-DES decoding and/or encodingcannot be exported from the United States.

[0048] 3.3.2 Blowfish

[0049] Blowfish is a symmetric block cipher first presented by Schneierin 1994 [76]. It takes a variable length key, from 32 bits to 448 bits,is unpatented, and is both license and royalty free. In addition, it ismuch faster than DES.

[0050] The Blowfish algorithm consists of two parts: a key-expansionpart and a data-encryption part. Key expansion converts a key of at most448 bits into several subkey arrays totaling 4168 bytes. Data encryptionoccurs via a 16-round Feistel network. All operations are XORs andadditions on 32-bit words, with four index array lookups per round.

[0051] It should be noted that decryption is the same as encryptionexcept that the subkey arrays are used in the reverse order. Complexityof implementation is therefore reduced compared to other algorithms thatdo not have such symmetry.

[0052] [77] describes the published attacks which have been mounted onBlowfish, although the algorithm remains secure as of February 1998[79]. The major finding with these attacks has been the discovery ofcertain weak keys. These weak keys can be tested for during keygeneration. For more information, refer to [77] and [79].

[0053]3.3.3 RC5

[0054] Designed by Ron Rivest in 1995, RC5 [74] has a variable blocksize, key size, and number of rounds. Typically, however, it uses a64-bit block size and a 128-bit key.

[0055] The RC5 algorithm consists of two parts: a key-expansion part anda data-encryption part. Key expansion converts a key into 2r+2 subkeys(where r=the number of rounds), each subkey being w bits. For a 64-bitblocksize with 16 rounds (w=32, r=16), the subkey arrays total 136bytes. Data encryption uses addition mod 2w, XOR and bitwise rotation.

[0056] An initial examination by Kaliski and Y in [43] suggested thatstandard linear and differential cryptanalysis appeared impractical forthe 64-bit blocksize version of the algorithm. Their differentialattacks on 9 and 12 round RC5 require 2⁴⁵ and 2⁶² chosen plaintextsrespectively, while the linear attacks on 4, 5, and 6 round RC5 requires2³⁷, 2 ⁴⁷ and 2⁵⁷ known plaintexts). These two attacks are independentof key size.

[0057] More recently however, Knudsen and Meier [47] described a newtype of differential attack on RC5 that improved the earlier results bya factor of 128, showing that RC5 has certain weak keys.

[0058] RC5 is protected by multiple patents owned by RSA Laboratories. Alicense must be obtained to use it.

[0059] 3.3.4 IDEA

[0060] Developed in 1990 by Lai and Massey [53], the first incarnationof the IDEA cipher was called PES. After differential cryptanalysis wasdiscovered by Biham and Shamir in 1991, the algorithm was strengthened,with the result being published in 1992 as IDEA [52].

[0061] IDEA uses 128-bit keys to operate on 64-bit plaintext blocks. Thesame algorithm is used for encryption and decryption. It is generallyregarded as the most secure block algorithm available today [78][56].

[0062] The biggest drawback of IDEA is the fact that it is patented(U.S. Pat. No. 5,214,703, issued in 1993), and a license must beobtained from Ascom Tech AG (Bern) to use it.

[0063] 3.4 Asymmetric Cryptography

[0064] An asymmetric encryption algorithm is one where:

[0065] the encryption function E relies on key K₁,

[0066] the decryption function D relies on key K₂,

[0067] K₂ cannot be derived from K₁ in a reasonable amount of time, and

[0068] K₁ cannot be derived from K₂ in a reasonable amount of time.

[0069] Thus: E_(K1)[M]=C

[0070] D_(K2)[C]=M

[0071] These algorithms are also called public-key because one key K₁can be made public. Thus anyone can encrypt a message (using K₁) butonly the person with the corresponding decryption key (K₂) can decryptand thus read the message.

[0072] In most cases, the following identity also holds: E_(K2)[M]=C

[0073] D_(K1)[C]=M

[0074] This identity is very important because it implies that anyonewith the public key K₁ can see M and know that it came from the owner ofK₂. No-one else could have generated C because to do so would implyknowledge of K₂. This gives rise to a different application, unrelatedto encryption—digital signatures.

[0075] The property of not being able to derive K₁ from K₂ and viceversa in a reasonable time is of course clouded by the concept ofreasonable time. What has been demonstrated time after time, is that acalculation that was thought to require a long time has been madepossible by the introduction of faster computers, new algorithms etc.The security of asymmetric algorithms is based on the difficulty of oneof two problems: factoring large numbers (more specifically largenumbers that are the product of two large primes), and the difficulty ofcalculating discrete logarithms in a finite field. Factoring largenumbers is conjectured to be a hard problem given today's understandingof mathematics. The problem however, is that factoring is getting easiermuch faster than anticipated. Ron Rivest in 1977 said that factoring a125-digit number would take 40 quadrillion years [30]. In 1994 a129-digit number was factored [3]. According to Schneier, you need a1024-bit number to get the level of security today that you got from a512-bit number in the 1980s [78]. If the key is to last for some yearsthen 1024 bits may not even be enough. Rivest revised his key lengthestimates in 1990: he suggests 1628 bits for high security lasting until2005, and 1884 bits for high security lasting until 2015 [69]. Schneiersuggests 2048 bits are required in order to protect against corporationsand governments until 2015 [80].

[0076] Public key cryptography was invented in 1976 by Diffie andHellman [15][16], and independently by Merkle [57]. Although Diffie,Hellman and Merkle patented the concepts (U.S. Pat. Nos. 4,200,770 and4,218,582), these patents expired in 1997.

[0077] A number of public key cryptographic algorithms exist. Most areimpractical to implement, and many generate a very large C for a given Mor require enormous keys. Still others, while secure, are far too slowto be practical for several years. Because of this, many public keysystems are hybrid—a public key mechanism is used to transmit asymmetric session key, and then the session key is used for the actualmessages.

[0078] All of the algorithms have a problem in terms of key selection. Arandom number is simply not secure enough. The two large primes p and qmust be chosen carefully—there are certain weak combinations that can befactored more easily (some of the weak keys can be tested for). Butnonetheless, key selection is not a simple matter of randomly selecting1024 bits for example. Consequently the key selection process must alsobe secure.

[0079] Of the practical algorithms in use under public scrutiny, thefollowing are discussed:

[0080] RSA

[0081] DSA

[0082] ElGamal

[0083] 3.4.1 RSA

[0084] The RSA cryptosystem [75], named after Rivest, Shamir, andAdleman, is the most widely used public key cryptosystem, and is a defacto standard in much of the world [78].

[0085] The security of RSA depends on the conjectured difficulty offactoring large numbers that are the product of two primes (p and q).There are a number of restrictions on the generation of p and q. Theyshould both be large, with a similar number of bits, yet not be close toone another (otherwise p=q={square root}pq). In addition, many authorshave suggested that p and q should be strong primes [56]. TheHellman-Bach patent (U.S. Pat. No. 4,633,036) covers a method forgenerating strong RSA primes p and q such that n=pq and factoring n isbelieved to be computationally infeasible.

[0086] The RSA algorithm patent was issued in 1983 (U.S. Pat. No.4,405,829). The patent expires on Sep. 20, 2000.

[0087] 3.4.2 DSA

[0088] DSA (Digital Signature Algorithm) is an algorithm designed aspart of the Digital Signature Standard (DSS) [29]. As defined, it cannotbe used for generalized encryption. In addition, compared to RSA, DSA is10 to 40 times slower for signature verification [40]. DSA explicitlyuses the SHA-1 hashing algorithm (see Section 3.6.3.3).

[0089] DSA key generation relies on finding two primes p and q such thatq divides p−1. According to Schneier [78], a 1024-bit p value isrequired for long term DSA security. However the DSA standard [29] doesnot permit values of p larger than 1024 bits (p must also be a multipleof 64 bits).

[0090] The US Government owns the DSA algorithm and has at least onerelevant patent (U.S. Pat. No. 5,231,688 granted in 1993). However,according to NIST [61]:

[0091] “The DSA patent and any foreign counterparts that may issue areavailable for use without any written permission from or any payment ofroyalties to the U.S. government.”

[0092] In a much stronger declaration, NIST states in the same document[61] that DSA does not infringe third party's rights:

[0093] “NIST reviewed all of the asserted patents and concluded thatnone of them would be infringed by DSS. Extra protection will be writteninto the PK1 pilot project that will prevent an organization orindividual from suing anyone except the government for patentinfringement during the course of the project. ”

[0094] It must however, be noted that the Schnorr authenticationalgorithm [81] (U.S. Pat. No. 4,995,082) patent holder claims that DSAinfringes his patent. The Schnorr patent is not due to expire until2008.

[0095]3.4.3 ElGamal

[0096] The ElGamal scheme [22][23] is used for both encryption anddigital signatures. The security is based on the conjectured difficultyof calculating discrete logarithms in a finite field.

[0097] Key selection involves the selection of a prime p, and two randomnumbers g and x such that both g and x are less than p. Then calculatey=gx mod p. The public key is y, g, and p. The private key is x.

[0098] ElGamal is unpatented. Although it uses the patentedDiffie-Hellman public key algorithm [15][16], those patents expired in1997. ElGamal public key encryption and digital signatures can now besafely used without infringing third party patents.

[0099] 3.5 Cryptographic Challenge-Response Protocols and Zero KnowledgeProofs

[0100] The general principle of a challenge-response protocol is toprovide identity authentication. The simplest form of challenge-responsetakes the form of a secret password. A asks B for the secret password,and if B responds with the correct password, A declares B authentic.

[0101] There are three main problems with this kind of simplisticprotocol. Firstly, once B has responded with the password, any observerC will know what the password is. Secondly, A must know the password inorder to verify it. Thirdly, if C impersonates A, then B will give thepassword to C (thinking C was A), thus compromising the password.

[0102] Using a copyright text (such as a haiku) as the password is notsufficient, because we are assuming that anyone is able to copy thepassword (for example in a country where intellectual property is notrespected).

[0103] The idea of cryptographic challenge-response protocols is thatone entity (the claimant) proves its identity to another (the verifier)by demonstrating knowledge of a secret known to be associated with thatentity, without revealing the secret itself to the verifier during theprotocol [56]. In the generalized case of cryptographicchallenge-response protocols, with some schemes the verifier knows thesecret, while in others the secret is not even known by the verifier. Agood overview of these protocols can be found in [25], [78], and [56].

[0104] Since this document specifically concerns Authentication, theactual cryptographic challenge-response protocols used forauthentication are detailed in the appropriate sections. However theconcept of Zero Knowledge Proofs bears mentioning here.

[0105] The Zero Knowledge Proof protocol, first described by Feige, Fiatand Shamir in [24] is extensively used in Smart Cards for the purpose ofauthentication [34][36 ][67]. The protocol's effectiveness is based onthe assumption that it is computationally infeasible to compute squareroots modulo a large composite integer with unknown factorization. Thisis provably equivalent to the assumption that factoring large integersis difficult.

[0106] It should be noted that there is no need for the claimant to havesignificant computing power. Smart cards implement this kind ofauthentication using only a few modulo multiplications [34][36].

[0107] Finally, it should be noted that the Zero Knowledge Proofprotocol is patented [82] (U.S. Pat. No. 4,748,668, issued May 31,1988).

[0108] 3.6 One-Way Functions

[0109] A one-way function F operates on an input X, and returns F[X]such that X cannot be determined from F[X]. When there is no restrictionon the format of X, and F[X] contains fewer bits than X, then collisionsmust exist. A collision is defined as two different X input valuesproducing the same F[X] value—i.e. X₁ and X₂ exist such that X₁±X₂ yetF[X₁]=F[X₂].

[0110] When X contains more bits than F[X], the input must be compressedin some way to create the output. In many cases, X is broken into blocksof a particular size, and compressed over a number of rounds, with theoutput of one round being the input to the next. The output of the hashfunction is the last output once X has been consumed. A pseudo-collisionof the compression function CF is defined as two different initialvalues V₁ and V₂ and two inputs X₁ and X₂ (possibly identical) are givensuch that CF(V₁, X₁)=CF(V₂, X₂). Note that the existence of apseudo-collision does not mean that it is easy to compute an X₂ for agiven X₁.

[0111] We are only interested in one-way functions that are fast tocompute. In addition, we are only interested in deterministic one-wayfunctions that are repeatable in different implementations. Consider anexample F where F[X] is the time between calls to F. For a given F[X] Xcannot be determined because X is not even used by F. However the outputfrom F will be different for different implementations. This kind of Fis therefore not of interest.

[0112] In the scope of this document, we are interested in the followingforms of one-way functions:

[0113] Encryption using an unknown key

[0114] Random number sequences

[0115] Hash Functions

[0116] Message Authentication Codes

[0117] 3.6.1 Encryption Using an Unknown Key

[0118] When a message is encrypted using an unknown key K, theencryption function E is effectively one-way. Without the key K, it iscomputationally infeasible to obtain M from E_(K)[M]. An encryptionfunction is only one-way for as long as the key remains hidden.

[0119] An encryption algorithm does not create collisions, since Ecreates E_(K)[M] such that it is possible to reconstruct M usingfunction D. Consequently F[X] contains at least as many bits as X (noinformation is lost) if the one-way function F is E.

[0120] Symmetric encryption algorithms (see Section 3.3) have theadvantage over asymmetric algorithms (see Section 3.4) for producingone-way functions based on encryption for the following reasons:

[0121] The key for a given strength encryption algorithm is shorter fora symmetric algorithm than an asymmetric algorithm

[0122] Symmetric algorithms are faster to compute and require lesssoftware or silicon

[0123] Note however, that the selection of a good key depends on theencryption algorithm chosen. Certain keys are not strong for particularencryption algorithms, so any key needs to be tested for strength. Themore tests that need to be performed for key selection, the less likelythe key will remain hidden.

[0124] 3.6.2 Random Number Sequences

[0125] Consider a random number sequence R₀, R₁, . . . , R_(i), R_(i+1).We define the one-way function F such that F[X] returns the X^(th)random number in the random sequence. However we must ensure that F[X]is repeatable for a given X on different implementations. The randomnumber sequence therefore cannot be truly random. Instead, it must bepseudo-random, with the generator making use of a specific seed.

[0126] There are a large number of issues concerned with defining goodrandom number generators. Knuth, in [48] describes what makes agenerator “good” (including statistical tests), and the general problemsassociated with constructing them. Moreau gives a high level survey ofthe current state of the field in [60].

[0127] The majority of random number generators produce the i^(th)random number from the i−1 ^(th) state—the only way to determine thei^(th) number is to iterate from the 0^(th) number to the i^(th). If iis large, it may not be practical to wait for i iterations.

[0128] However there is a type of random number generator that doesallow random access. In [10], Blum, Blum and Shub define the idealgenerator as follows: “. . . we would like a pseudo-random sequencegenerator to quickly produce, from short seeds, long sequences (of bits)that appear in every way to be generated by successive flips of a faircoin”. They defined the X² mod n generator [10], more commonly referredto as the BBS generator. They showed that given certain assumptions uponwhich modem cryptography relies, a BBS generator passes extremelystringent statistical tests.

[0129] The BBS generator relies on selecting n which is a Blum integer(n=pq where p and q are large prime numbers, p ±q, p mod 4=3, and q mod4=3). The initial state of the generator is given by x₀ where x₀=X² modn, and x is a random integer relatively prime to n. The i^(th)pseudo-random bit is the least significant bit of x_(i) where:

[0130] x_(i=x) ² _(i−1) mod n

[0131] As an extra property, knowledge of p and q allows a directcalculation of the i^(th) number in the sequence as follows:

x _(i) =x ₀ ^(y) mod n where y=2^(i) mod ((p−1)(q−1))

[0132] Without knowledge of p and q, the generator must iterate (thesecurity of calculation relies on the conjectured difficulty offactoring large numbers).

[0133] When first defined, the primary problem with the BBS generatorwas the amount of work required for a single output bit. The algorithmwas considered too slow for most applications. However the advent ofMontgomery reduction arithmetic [58] has given rise to more practicalimplementations, such as [59]. In addition, Vazirani and Vazirani haveshown in [90] that depending on the size of n, more bits can safely betaken from x_(i) without compromising the security of the generator.

[0134] Assuming we only take 1 bit per x_(i), N bits (and hence Niterations of the bit generator function) are needed in order togenerate an N-bit random number. To the outside observer, given aparticular set of bits, there is no way to determine the next bit otherthan a 50/50 probability. If the x, p and q are hidden, they act as akey, and it is computationally infeasible to take an output bit streamand compute x, p, and q. It is also computationally infeasible todetermine the value of i used to generate a given set of pseudo-randombits. This last feature makes the generator one-way. Different values ofi can produce identical bit sequences of a given length (e.g. 32 bits ofrandom bits). Even if x, p and q are known, for a given F[i], i can onlybe derived as a set of possibilities, not as a certain value (of courseif the domain of i is known, then the set of possibilities is reducedfurther).

[0135] However, there are problems in selecting a good p and q, and agood seed x. In particular, Ritter in [68] describes a problem inselecting x. The nature of the problem is that a BBS generator does notcreate a single cycle of known length. Instead, it creates cycles ofvarious lengths, including degenerate (zero-length) cycles: Thus a BBSgenerator cannot be initialized with a random state—it might be on ashort cycle. Specific algorithms exist in section 9 of [10] to determinethe length of the period for a given seed given certain strenuousconditions for n.

[0136] 3.6.3 Hash Functions Special one-way functions, known as Hashfunctions, map arbitrary length messages to fixed-length hash values.Hash functions are referred to as H[M]. Since the input is of arbitrarylength, a hash function has a compression component in order to producea fixed length output. Hash functions also have an obfuscation componentin order to make it difficult to find collisions and to determineinformation about M from H[M].

[0137] Because collisions do exist, most applications require that thehash algorithm is preimage resistant, in that for a given X₁ it isdifficult to find X₂ such that H[X₁]=H[X₂]. In addition, mostapplications also require the hash algorithm to be collision resistant(i.e. it should be hard to find two messages X₁ and X₂ such thatH[X₁]=H[X₂]). However, as described in [20], it is an open problemwhether a collision-resistant hash function, in the ideal sense, canexist at all.

[0138] The primary application for hash functions is in the reduction ofan input message into a digital “fingerprint” before the application ofa digital signature algorithm. One problem of collisions with digitalsignatures can be seen in the following example.

[0139] A has a long message M1 that says “I owe B $10”. A signs H[M₁]using his private key.

[0140] B, being greedy, then searches for a collision message M₂ whereH[M₂]=H[M₁] but

[0141] where M₂ is favorable to B, for example “I owe B $1 million”.Clearly it is in A's interest to ensure that it is difficult to findsuch an M₂.

[0142] Examples of collision resistant one-way hash functions are SHA-1[28], MD5 [73] and RIPEMD-160 [66], all derived from MD4 [70][72].

[0143] 3.6.3.1 MD4

[0144] Ron Rivest introduced MD4 [70][72] in 1990. It is only mentionedhere because all other one-way hash functions are derived in some wayfrom MD4.

[0145] MD4 is now considered completely broken [18][19] in thatcollisions can be calculated instead of searched for. In the exampleabove, B could trivially generate a substitute message M₂ with the samehash value as the original message M₁.

[0146] 3.6.3.2 MD5

[0147] Ron Rivest introduced MD5 [73] in 1991 as a more secure MD4. LikeMD4, MD5 produces a 128-bit hash value. MD5 is not patented [80].

[0148] Dobbertin describes the status of MD5 after recent attacks [20].He describes how pseudo-collisions have been found in MD5, indicating aweakness in the compression function, and more recently, collisions havebeen found. This means that MD5 should not be used for compression indigital signature schemes where the existence of collisions may havedire consequences. However MD5 can still be used as a one-way function.In addition, the HMAC-MD5 construct (see Section 3.6.4.1) is notaffected by these recent attacks.

[0149] 3.6.3.3 SHA-1

[0150] SHA-1 [28] is very similar to MD5, but has a 160-bit hash value(MD5 only has 128 bits of hash value). SHA-1 was designed and introducedby the NIST and NSA for use in the Digital Signature Standard (DSS). Theoriginal published description was called SHA [27], but very soonafterwards, was revised to become SHA-1 [28], supposedly to correct asecurity flaw in SHA (although the NSA has not released the mathematicalreasoning behind the change).

[0151] There are no known cryptographic attacks against SHA-1 [78]. Itis also more resistant to brute force attacks than MD4 or MD5 simplybecause of the longer hash result.

[0152] The US Government owns the SHA-1 and DSA algorithms (a digitalsignature authentication algorithm defined as part of DSS [29]) and hasat least one relevant patent (U.S. Pat. No. 5,231,688 granted in 1993).However, according to NIST [61]:

[0153] “The DSA patent and any foreign counterparts that may issue areavailable for use without any written permission from or any payment ofroyalties to the U.S. government.”

[0154] In a much stronger declaration, NIST states in the same document[61] that DSA and SHA-1 do not infringe third party's rights:

[0155] “NIST reviewed all of the asserted patents and concluded thatnone of them would be infringed by DSS. Extra protection will be writteninto the PK1 pilot project that will prevent an organization orindividual from suing anyone except the government for patentinfringement during the course of the project.”

[0156] It must however, be noted that the Schnorr authenticationalgorithm [81] (U.S. Pat. No. 4,995,082) patent holder claims that DSAinfringes his patent. The Schnorr patent is not due to expire until2008. Fortunately this does not affect SHA-1.

[0157]3.6.3.4 RIPEMD-160

[0158] RIPEMD-160 [66] is a hash function derived from its predecessorRIPEMD [11] (developed for the European Community's RIPE project in1992). As its name suggests, RIPEMD-160 produces a 160-bit hash result.Tuned for software implementations on 32-bit architectures, RIPEMD-160is intended to provide a high level of security for 10 years or more.

[0159] Although there have been no successful attacks on RIPEMD-160, itis comparatively new and has not been extensively cryptanalyzed. Theoriginal RIPEMD algorithm [11] was specifically designed to resist knowncryptographic attacks on MD4. The recent attacks on MD5 (detailed in[20]) showed similar weaknesses in the RIPEMD 128-bit hash function.Although the attacks showed only theoretical weaknesses, Dobbertin,Preneel and Bosselaers further strengthened RIPEMD into a new algorithmRIPEMD-160.

[0160] RIPEMD-160 is in the public domain, and requires no licensing orroyalty payments.

[0161] 3.6.4 Message Authentication Codes

[0162] The problem of message authentication can be summed up asfollows:

[0163] How can A be sure that a message supposedly from B is in factfrom B?

[0164] Message authentication is different from entity authentication(described in the section on cryptographic challenge-responseprotocols). With entity authentication, one entity (the claimant) provesits identity to another (the verifier). With message authentication, weare concerned with making sure that a given message is from who we thinkit is from i.e. it has not been tampered with en route from the sourceto its destination. While this section has a brief overview of messageauthentication, a more detailed survey can be found in [86].

[0165] A one-way hash function is not sufficient protection for amessage. Hash functions such as MD5 rely on generating a hash value thatis representative of the original input, and the original input cannotbe derived from the hash value. A simple attack by E, who is in-betweenA and B, is to intercept the message from B, and substitute his own.Even if A also sends a hash of the original message, E can simplysubstitute the hash of his new message. Using a one-way hash functionalone, A has no way of knowing that B's message has been changed.

[0166] One solution to the problem of message authentication is theMessage Authentication Code, or MAC.

[0167] When B sends message M, it also sends MAC[M] so that the receiverwill know that M is actually from B. For this to be possible, only Bmust be able to produce a MAC of M, and in addition, A should be able toverify M against MAC[M]. Notice that this is different from encryptionof M-MACs are useful when M does not have to be secret.

[0168] The simplest method of constructing a MAC from a hash function isto encrypt the hash value with a symmetric algorithm:

[0169] 1. Hash the input message H[M]

[0170] 2. Encrypt the hash E_(K)[H[M]]

[0171] This is more secure than first encrypting the message and thenhashing the encrypted message. Any symmetric or asymmetric cryptographicfunction can be used, with the appropriate advantages and disadvantageof each type described in Section 3.3 and Section 3.4.

[0172] However, there are advantages to using a key-dependent one-wayhash function instead of techniques that use encryption (such as thatshown above):

[0173] Speed, because one-way hash functions in general work much fasterthan encryption;

[0174] Message size, because E_(K)[M] is at least the same size as M,while H[M] is a fixed size (usually considerably smaller than M);

[0175] Hardware/software requirements—keyed one-way hash functions aretypically far less complex than their encryption-based counterparts; and

[0176] One-way hash function implementations are not considered to beencryption or decryption devices and therefore are not subject to USexport controls.

[0177] It should be noted that hash functions were never originallydesigned to contain a key or to support message authentication. As aresult, some ad hoc methods of using hash functions to perform messageauthentication, including various functions that concatenate messageswith secret prefixes, suffixes, or both have been proposed [56][78].Most of these ad hoc methods have been successfully attacked bysophisticated means [42][64][65]. Additional MACs have been suggestedbased on XOR schemes [8] and Toeplitz matrices [49] (including thespecial case of LFSR-based (Linear Feed Shift Register) constructions).

[0178] 3.6.4.1 HMAC

[0179] The HMAC construction [6][7] in particular is gaining acceptanceas a solution for Internet message authentication security protocols.The HMAC construction acts as a wrapper, using the underlying hashfunction in a black-box way. Replacement of the hash function isstraightforward if desired due to security or performance reasons.However, the major advantage of the HMAC construct is that it can beproven secure provided the underlying hash function has some reasonablecryptographic strengths—that is, HMAC's strengths are directly connectedto the strength of the hash function [6].

[0180] Since the HMAC construct is a wrapper, any iterative hashfunction can be used in an HMAC. Examples include HMAC-MD5, HMAC-SHAI,HMAC-RIPEMD 160 etc.

[0181] Given the following definitions:

[0182] H=the hash function (e.g. MD5 or SHA-1)

[0183] n=number of bits output from H (e.g. 160 for SHA-1, 128 bits forMD5)

[0184] M=the data to which the MAC function is to be applied

[0185] K=the secret key shared by the two parties

[0186] ipad=0×36 repeated 64 times

[0187] opad=×5C repeated 64 times

[0188] The HMAC algorithm is as follows:

[0189] 1. Extend K to 64 bytes by appending 0×00 bytes to the end of K

[0190] 2. XOR the 64 byte string created in (1) with ipad

[0191] 3. append data stream M to the 64 byte string created in (2)

[0192] 4. Apply H to the stream generated in (3)

[0193] 5. XOR the 64 byte string created in (1) with opad

[0194] 6. Append the H result from (4) to the 64 byte string resultingfrom (5)

[0195] 7. Apply H to the output of (6) and output the result

[0196] Thus:

[0197] HMAC[M]=H[(K⊕opad)|H[(K⊕ipad)|M]]

[0198] The recommended key length is at least n bits, although it shouldnot be longer than 64 bytes (the length of the hashing block). A keylonger than n bits does not add to the security of the function.

[0199] HMAC optionally allows truncation of the final output e.g.truncation to 128 bits from 160 bits.

[0200] The HMAC designers' Request for Comments [51] was issued in 1997,one year after the algorithm was first introduced. The designers claimedthat the strongest known attack against HMAC is based on the frequencyof collisions for the hash function H (see Section 5.5.10), and istotally impractical for minimally reasonable hash functions:

[0201] As an example, if we consider a hash function like MD5 where theoutput length is 128 bits, the attacker needs to acquire the correctmessage authentication tags computed (with the same secret key K) onabout 264 known plaintexts. This would require the processing of atleast 264 blocks under H, an impossible task in any realistic scenario(for a block length of 64 bytes this would take 250,000 years in acontinuous 1 Gbps link, and without changing the secret key K all thistime). This attack could become realistic only if serious flaws in thecollision behavior of the function H are discovered (e.g. Collisionsfound after 230 messages). Such a discovery would determine theimmediate replacement of function H (the effects of such a failure wouldbe far more severe for the traditional uses of H in the context ofdigital signatures, public key certificates etc).

[0202] Of course, if a 160-bit hash function is used, then 2⁶⁴ should bereplaced with 2⁸⁰.

[0203] This should be contrasted with a regular collision attack oncryptographic hash functions where no secret key is involved and 2⁶⁴off-line parallelizable operations suffice to find collisions.

[0204] More recently, HMAC protocols with replay prevention components[62] have been defined in order to prevent the capture and replay of anyM, HMAC[M] combination within a given time period.

[0205] Finally, it should be noted that HMAC is in the public domain[50], and incurs no licensing fees. There are no known patents infringedby HMAC.

[0206] 3.7 Random Numbers and Time Varying Messages

[0207] The use of a random number generator as a one-way function hasalready been examined. However, random number generator theory is verymuch intertwined with cryptography, security, and authentication.

[0208] There are a large number of issues concerned with defining goodrandom number generators. Knuth, in [48] describes what makes agenerator good (including statistical tests), and the general problemsassociated with constructing them. Moreau gives a high level survey ofthe current state of the field in [60].

[0209] One of the uses for random numbers is to ensure that messagesvary over time. Consider a system where A encrypts commands and sendsthem to B. If the encryption algorithm produces the same output for agiven input, an attacker could simply record the messages and play themback to fool B. There is no need for the attacker to crack theencryption mechanism other than to know which message to play to B(while pretending to be A). Consequently messages often include a randomnumber and a time stamp to ensure that the message (and hence itsencrypted counterpart) varies each time.

[0210] Random number generators are also often used to generate keys.Although Klapper has recently shown [45] that a family of securefeedback registers for the purposes of building key-streams does exist,he does not give any practical construction. It is therefore best to sayat the moment that all generators are insecure for this purpose. Forexample, the Berlekamp-Massey algorithm [54], is a classic attack on anLFSR random number generator. If the LFSR is of length n, then only 2nbits of the sequence suffice to determine the LFSR, compromising the keygenerator.

[0211] If, however, the only role of the random number generator is tomake sure that messages vary over time, the security of the generatorand seed is not as important as it is for session key generation. Ifhowever, the random number seed generator is compromised, and anattacker is able to calculate future “random” numbers, it can leave someprotocols open to attack. Any new protocol should be examined withrespect to this situation.

[0212] The actual type of random number generator required will dependupon the implementation and the purposes for which the generator isused. Generators include Blum, Blum, and Shub [10], stream ciphers suchas RC4 by Ron Rivest [71], hash functions such as SHA-1 [28] andRIPEMD-160 [66], and traditional generators such LFSRs (Linear FeedbackShift Registers) [48] and their more recent counterpart FCSRs (Feedbackwith Carry Shift Registers) [44].

[0213]3.8 Attacks

[0214] This section describes the various types of attacks that can beundertaken to break an authentication cryptosystem. The attacks aregrouped into physical and logical attacks.

[0215] Logical attacks work on the protocols or algorithms rather thantheir physical implementation, and attempt to do one of three things:

[0216] Bypass the authentication process altogether

[0217] Obtain the secret key by force or deduction, so that any questioncan be answered

[0218] Find enough about the nature of the authenticating questions andanswers in order to, without the key, give the right answer to eachquestion.

[0219] The attack styles and the forms they take are detailed below.

[0220] Regardless of the algorithms and protocol used by a securitychip, the circuitry of the authentication part of the chip can comeunder physical attack. Physical attacks come in four main ways, althoughthe form of the attack can vary:

[0221] Bypassing the security chip altogether

[0222] Physical examination of the chip while in operation (destructiveand non-destructive)

[0223] Physical decomposition of chip

[0224] Physical alteration of chip

[0225] The attack styles and the forms they take are detailed below.

[0226] This section does not suggest solutions to these attacks. Itmerely describes each attack type. The examination is restricted to thecontext of an authentication chip (as opposed to some other kind ofsystem, such as Internet authentication) attached to some System.

[0227] 3.8.1 Logical Attacks

[0228] These attacks are those which do not depend on the physicalimplementation of the cryptosystem. They work against the protocols andthe security of the algorithms and random number generators.

[0229] 3.8.1.1 Ciphertext Only Attack

[0230] This is where an attacker has one or more encrypted messages, allencrypted using the same algorithm. The aim of the attacker is to obtainthe plaintext messages from the encrypted messages. Ideally, the key canbe recovered so that all messages in the future can also be recovered.

[0231] 3.8.1.2 Known Plaintext Attack

[0232] This is where an attacker has both the plaintext and theencrypted form of the plaintext. In the case of an authentication chip,a known-plaintext attack is one where the attacker can see the data flowbetween the system and the authentication chip. The inputs and outputsare observed (not chosen by the attacker), and can be analyzed forweaknesses (such as birthday attacks or by a search for differentiallyinteresting input/output pairs).

[0233] A known plaintext attack can be carried out by connecting a logicanalyzer to the connection between the system and the authenticationchip.

[0234] 3.8.1.3 Chosen Plaintext Attacks

[0235] A chosen plaintext attack describes one where a cryptanalyst hasthe ability to send any chosen message to the cryptosystem, and observethe response. If the cryptanalyst knows the algorithm, there may be arelationship between inputs and outputs that can be exploited by feedinga specific output to the input of another function.

[0236] The chosen plaintext attack is much stronger than the knownplaintext attack since the attacker can choose the messages rather thansimply observe the data flow.

[0237] On a system using an embedded authentication chip, it isgenerally very difficult to prevent chosen plaintext attacks since thecryptanalyst can logically pretend he/she is the system, and thus sendany chosen bit-pattern streams to the authentication chip.

[0238] 3.8.1.4 Adaptive Chosen Plaintext Attacks

[0239] This type of attack is similar to the chosen plaintext attacksexcept that the attacker has the added ability to modify subsequentchosen plaintexts based upon the results of previous experiments. Thisis certainly the case with any system/authentication chip scenariodescribed for consumables such as photocopiers and toner cartridges,especially since both systems and consumables are made available to thepublic.

[0240] 3.8.1.5 Brute Force Attack

[0241] A guaranteed way to break any key-based cryptosystem algorithm issimply to try every key. Eventually the right one will be found. This isknown as a brute force attack. However, the more key possibilities thereare, the more keys must be tried, and hence the longer it takes (onaverage) to find the right one. If there are N keys, it will take amaximum of N tries. If the key is N bits long, it will take a maximum of2^(N) tries, with a 50% chance of finding the key after only half theattempts (2^(N−1)). The longer N becomes, the longer it will take tofind the key, and hence the more secure the key is. Of course, an attackmay guess the key on the first try, but this is more unlikely the longerthe key is.

[0242] Consider a key length of 56 bits. In the worst case, all 2⁵⁶tests (7.2×10¹⁶ tests) must be made to find the key. In 1977, Diffie andHellman described a specialized machine for cracking DES, consisting ofone million processors, each capable of running one million tests persecond [17]. Such a machine would take 20 hours to break any DES code.

[0243] Consider a key length of 128 bits. In the worst case, all 2¹²⁸tests (3.4×10³⁸ tests) must be made to find the key. This would take tenbillion years on an array of a trillion processors each running 1billion tests per second.

[0244] With a long enough key length, a brute force attack takes toolong to be worth the attacker's efforts.

[0245] 3.8.1.6 Guessing attack

[0246] This type of attack is where an attacker attempts to simply“guess” the key. As an attack it is identical to the brute force attack(see Section 3.8.1.5) where the odds of success depend on the length ofthe key.

[0247] 3.8.1.7 Quantum Computer Attack

[0248] To break an n-bit key, a quantum computer [83] (NMR, Optical, orCaged Atom) containing n qubits embedded in an appropriate algorithmmust be built. The quantum computer effectively exists in 2^(n)simultaneous coherent states. The trick is to extract the right coherentstate without causing any decoherence. To date this has been achievedwith a 2 qubit system (which exists in 4 coherent states). It is thoughtpossible to extend this to 6 qubits (with 64 simultaneous coherentstates) within a few years.

[0249] Unfortunately, every additional qubit halves the relativestrength of the signal representing the key. This rapidly becomes aserious impediment to key retrieval, especially with the long keys usedin cryptographically secure systems.

[0250] As a result, attacks on a cryptographically secure key (e.g. 160bits) using a Quantum Computer are likely not to be feasible and it isextremely unlikely that quantum computers will have achieved more than50 or so qubits within the commercial lifetime of the authenticationchips. Even using a 50 qubit quantum computer, 2¹¹⁰ tests are requiredto crack a 160 bit key.

[0251] 3.8.1.8 Purposeful Error Attack

[0252] With certain algorithms, attackers can gather valuableinformation from the results of a bad input. This can range from theerror message text to the time taken for the error to be generated.

[0253] A simple example is that of a userid/password scheme. If theerror message usually says “Bad userid”, then when an attacker gets amessage saying “Bad password” instead, then they know that the userid iscorrect. If the message always says “Bad userid/password” then much lessinformation is given to the attacker. A more complex example is that ofthe recent published method of cracking encryption codes from secure websites [41]. The attack involves sending particular messages to a serverand observing the error message responses. The responses give enoughinformation to learn the keys—even the lack of a response gives someinformation.

[0254] An example of algorithmic time can be seen with an algorithm thatreturns an error as soon as an erroneous bit is detected in the inputmessage. Depending on hardware implementation, it may be a simple methodfor the attacker to time the response and alter each bit one by onedepending on the time taken for the error response, and thus obtain thekey. Certainly in a chip implementation the time taken can be observedwith far greater accuracy than over the Internet.

[0255] 3.8.1.9 Birthday Attack

[0256] This attack is named after the famous “birthday paradox” (whichis not actually a paradox at all). The odds of one person sharing abirthday with another, is 1 in 365 (not counting leap years). Thereforethere must be 183 people in a room for the odds to be more than 50% thatone of them shares your birthday. However, there only needs to be 23people in a room for there to be more than a 50% chance that any twoshare a birthday, as shown in the following relation:

[0257] Prob=1−nPr|n^(r)=1−365P23/365²³≈0.507

[0258] Birthday attacks are common attacks against hashing algorithms,especially those algorithms that combine hashing with digitalsignatures.

[0259] If a message has been generated and already signed, an attackermust search for a collision message that hashes to the same value(analogous to finding one person who shares your birthday). However, ifthe attacker can generate the message, the birthday attack comes intoplay. The attacker searches for two messages that share the same hashvalue (analogous to any two people sharing a birthday), only one messageis acceptable to the person signing it, and the other is beneficial forthe attacker. Once the person has signed the original message theattacker simply claims now that the person signed the alternativemessage—mathematically there is no way to tell which message was theoriginal, since they both hash to the same value.

[0260] Assuming a brute force attack is the only way to determine amatch, the weakening of an n-bit key by the birthday attack is 2^(n/2).A key length of 128 bits that is susceptible to the birthday attack hasan effective length of only 64 bits.

[0261] 3.8.1.10 Chaining Attack

[0262] These are attacks made against the chaining nature of hashfunctions. They focus on the compression function of a hash function.The idea is based on the fact that a hash function generally takesarbitrary length input and produces a constant length output byprocessing the input n bits at a time. The output from one block is usedas the chaining variable set into the next block. Rather than finding acollision against an entire input, the idea is that given an inputchaining variable set, to find a substitute block that will result inthe same output chaining variables as the proper message.

[0263] The number of choices for a particular block is based on thelength of the block. If the chaining variable is c bits, the hashingfunction behaves like a random mapping, and the block length is b bits,the number of such b-bit blocks is approximately 2^(b)/2^(c). Thechallenge for finding a substitution block is that such blocks are asparse subset of all possible blocks.

[0264] For SHA-1, the number of 512 bit blocks is approximately2⁵¹²/2²⁶⁰, or 2³⁵². The chance of finding a block by brute force searchis about 1 in 2¹⁶⁰.

[0265]3.8.1.11 Substitution with a Complete Lookup Table

[0266] If the number of potential messages sent to the chip is small,then there is no need for a clone manufacturer to crack the key.Instead, the clone manufacturer could incorporate a ROM in their chipthat had a record of all of the responses from a genuine chip to thecodes sent by the system. The larger the key, and the larger theresponse, the more space is required for such a lookup table.

[0267] 3.8.1.12 Substitution with a Sparse Lookup Table

[0268] If the messages sent to the chip are somehow predictable, ratherthan effectively random, then the clone manufacturer need not provide acomplete lookup table. For example:

[0269] If the message is simply a serial number, the clone manufacturerneed simply provide a lookup table that contains values for past andpredicted future serial numbers. There are unlikely to be more than 10⁹of these.

[0270] If the test code is simply the date, then the clone manufacturercan produce a lookup table using the date as the address.

[0271] If the test code is a pseudo-random number using either theserial number or the date as a seed, then the clone manufacturer justneeds to crack the pseudo-random number generator in the system. This isprobably not difficult, as they have access to the object code of thesystem. The clone manufacturer would then produce a content addressablememory (or other sparse array lookup) using these codes to access storedauthentication codes.

[0272] 3.8.1.13 Differential Cryptanalysis

[0273] Differential cryptanalysis describes an attack where pairs ofinput streams are generated with known differences, and the differencesin the encoded streams are analyzed.

[0274] Existing differential attacks are heavily dependent on thestructure of S boxes, as used in DES and other similar algorithms.Although other algorithms such as HMAC-SHA1 have no S boxes, an attackercan undertake a differential-like attack by undertaking statisticalanalysis of:

[0275] Minimal-difference inputs, and their corresponding outputs

[0276] Minimal-difference outputs, and their corresponding inputs

[0277] Most algorithms were strengthened against differentialcryptanalysis once the process was described. This is covered in thespecific sections devoted to each cryptographic algorithm. However somerecent algorithms developed in secret have been broken because thedevelopers had not considered certain styles of differential attacks[91] and did not subject their algorithms to public scrutiny.

[0278] 3.8.1.14 Message Substitution Attacks

[0279] In certain protocols, a man-in-the-middle can substitute part orall of a message. This is where a real authentication chip is pluggedinto a reusable clone chip within the consumable. The clone chipintercepts all messages between the system and the authentication chip,and can perform a number of substitution attacks.

[0280] Consider a message containing a header followed by content. Anattacker may not be able to generate a valid header, but may be able tosubstitute their own content, especially if the valid response issomething along the lines of “Yes, I received your message”. Even if thereturn message is “Yes, I received the following message . . . . ”, theattacker may be able to substitute the original message before sendingthe acknowledgment back to the original sender.

[0281] Message Authentication Codes were developed to combat messagesubstitution attacks.

[0282] 3.8.1.15 Reverse Engineering the Key Generator

[0283] If a pseudo-random number generator is used to generate keys,there is the potential for a clone manufacture to obtain the generatorprogram or to deduce the random seed used. This was the way in which thesecurity layer of the Netscape browser program was initially broken[33].

[0284]3.8.1.16 Bypassing the Authentication Process

[0285] It may be that there are problems in the authentication protocolsthat can allow a bypass of the authentication process altogether. Withthese kinds of attacks the key is completely irrelevant, and theattacker has no need to recover it or deduce it.

[0286] Consider an example of a system that authenticates at power-up,but does not authenticate at any other time. A reusable consumable witha clone authentication chip may make use of a real authentication chip.The clone authentication chip uses the real chip for the authenticationcall, and then simulates the real authentication chip's state data afterthat.

[0287] Another example of bypassing authentication is if the systemauthenticates only after the consumable has been used. A cloneauthentication chip can accomplish a simple authentication bypass bysimulating a loss of connection after the use of the consumable butbefore the authentication protocol has completed (or even started).

[0288] One infamous attack known as the “Kentucky Fried Chip” hack [2]involved replacing a microcontroller chip for a satellite TV system.When a subscriber stopped paying the subscription fee, the system wouldsend out a “disable” message. However the new micro-controller wouldsimply detect this message and not pass it on to the consumer'ssatellite TV system.

[0289] 3.8.1.17 Garrote/Bribe Attack

[0290] If people know the key, there is the possibility that they couldtell someone else. The telling may be due to coercion (bribe, garroteetc.), revenge (e.g. a disgruntled employee), or simply for principle.These attacks are usually cheaper and easier than other efforts atdeducing the key. As an example, a number of people claiming to beinvolved with the development of the Divx standard have recently(May/June 1998) been making noises on a variety of DVD newsgroups to theeffect they would like to help develop Divx specific crackingdevices—out of principle.

[0291] 3.8.2 Physical Attacks

[0292] The following attacks assume implementation of an authenticationmechanism in a silicon chip that the attacker has physical access to.The first attack, Reading ROM, describes an attack when keys are storedin ROM, while the remaining attacks assume that a secret key is storedin Flash memory.

[0293] 3.8.2.1 Reading ROM

[0294] If a key is stored in ROM it can be read directly. A ROM can thusbe safely used to hold a public key (for use in asymmetriccryptography), but not to hold a private key. In symmetric cryptography,a ROM is completely insecure. Using a copyright text (such as a haiku)as the key is not sufficient, because we are assuming that the cloningof the chip is occurring in a country where intellectual property is notrespected.

[0295] 3.8.2.2 Reverse Engineering of Chip

[0296] Reverse engineering of the chip is where an attacker opens thechip and analyzes the circuitry. Once the circuitry has been analyzedthe inner workings of the chip's algorithm can be recovered.

[0297] Lucent Technologies have developed an active method [4] known asTOBIC (Two photon OBIC, where OBIC stands for Optical Beam InducedCurrent), to image circuits. Developed primarily for static RAManalysis, the process involves removing any back materials, polishingthe back surface to a mirror finish, and then focusing light on thesurface. The excitation wavelength is specifically chosen not to inducea current in the IC.

[0298] A Kerckhoffs in the nineteenth century made a fundamentalassumption about cryptanalysis: if the algorithm's inner workings arethe sole secret of the scheme, the scheme is as good as broken [39]. Hestipulated that the secrecy must reside entirely in the key. As aresult, the best way to protect against reverse engineering of the chipis to make the inner workings irrelevant.

[0299] 3.8.2.3 Usurping the Authentication Process

[0300] It must be assumed that any clone manufacturer has access to boththe system and consumable designs.

[0301] If the same channel is used for communication between the systemand a trusted system authentication chip, and a non-trusted consumableauthentication chip, it may be possible for the non-trusted chip tointerrogate a trusted authentication chip in order to obtain the“correct answer”. If this is so, a clone manufacturer would not have todetermine the key. They would only have to trick the system into usingthe responses from the system authentication chip.

[0302] The alternative method of usurping the authentication processfollows the same method as the logical attack described in Section3.8.1.16, involving simulated loss of contact with the system wheneverauthentication processes take place, simulating power-down etc.

[0303] 3.8.2.4 Modification of System

[0304] This kind of attack is where the system itself is modified toaccept clone consumables. The attack may be a change of system ROM, arewiring of the consumable, or, taken to the extreme case, a completelyclone system.

[0305] Note that this kind of attack requires each individual system tobe modified, and would most likely require the owner's consent. Therewould usually have to be a clear advantage for the consumer to undertakesuch a modification, since it would typically void warranty and wouldmost likely be costly. An example of such a modification with a clearadvantage to the consumer is a software patch to change fixed-region DVDplayers into region-free DVD players (although it should be noted thatthis is not to use clone consumables, but rather originals from the samecompanies simply targeted for sale in other countries).

[0306] 3.8.2.5 Direct Viewing of Chip Operation by Conventional Probing

[0307] If chip operation could be directly viewed using an STM (ScanningTunnelling Microscope) or an electron beam, the keys could be recordedas they are read from the internal non-volatile memory and loaded intowork registers.

[0308] These forms of conventional probing require direct access to thetop or front sides of the IC while it is powered.

[0309] 3.8.2.6 Direct Viewing of the Non-volatile Memory

[0310] If the chip were sliced so that the floating gates of the Flashmemory were exposed, without discharging them, then the key couldprobably be viewed directly using an STM or SKM (Scanning KelvinMicroscope).

[0311] However, slicing the chip to this level without discharging thegates is probably impossible. Using wet etching, plasma etching, ionmilling (focused ion beam etching), or chemical mechanical polishingwill almost certainly discharge the small charges present on thefloating gates.

[0312] 3.8.2.7 Viewing the Light Bursts Caused by State Changes

[0313] Whenever a gate changes state, a small amount of infrared energyis emitted. Since silicon is transparent to infrared, these changes canbe observed by looking at the circuitry from the underside of a chip.While the emission process is weak, it is bright enough to be detectedby highly sensitive equipment developed for use in astronomy. Thetechnique [89], developed by IBM, is called PICA (Picosecond ImagingCircuit Analyzer). If the state of a register is known at time t, thenwatching that register change over time will reveal the exact value attime t+n, and if the data is part of the key, then that part iscompromised.

[0314] 3.8.2.8 Viewing the Keys Using an SEPM

[0315] A non-invasive testing device, known as a Scanning ElectricPotential Microscope (SEPM), allows the direct viewing of charges withina chip [37]. The SEPM has a tungsten probe that is placed a fewmicrometers above the chip, with the probe and circuit forming acapacitor. Any AC signal flowing beneath the probe causes displacementcurrent to flow through this capacitor. Since the value of the currentchange depends on the amplitude and phase of the AC signal, the signalcan be imaged. If the signal is part of the key, then that part iscompromised.

[0316] 3.8.2.9 Monitoring EMI

[0317] Whenever electronic circuitry operates, faint electromagneticsignals are given off. Relatively inexpensive equipment can monitorthese signals and could give enough information to allow an attacker todeduce the keys.

[0318] 3.8.2.10 Viewing I_(dd) Fluctuations

[0319] Even if keys cannot be viewed, there is a fluctuation in currentwhenever registers change state. If there is a high enough signal tonoise ratio, an attacker can monitor the difference in I_(dd) that mayoccur when programming over either a high or a low bit. The change inI_(dd) can reveal information about the key. Attacks such as these havealready been used to break smart cards [46].

[0320]3.8.2.11 Differential Fault Analysis

[0321] This attack assumes introduction of a bit error by ionization,microwave radiation, or environmental stress. In most cases such anerror is more likely to adversely affect the chip (e.g. cause theprogram code to crash) rather than cause beneficial changes which wouldreveal the key. Targeted faults such as ROM overwrite, gate destructionetc. are far more likely to produce useful results.

[0322] 3.8.2.12 Clock Glitch Attacks

[0323] Chips are typically designed to properly operate within a certainclock speed range. Some attackers attempt to introduce faults in logicby running the chip at extremely high clock speeds or introduce a clockglitch at a particular time for a particular duration [1]. The idea isto create race conditions where the circuitry does not functionproperly. An example could be an AND gate that (because of raceconditions) gates through Input1 all the time instead of the AND ofInput₁ and Input₂.

[0324] If an attacker knows the internal structure of the chip, they canattempt to introduce race conditions at the correct moment in thealgorithm execution, thereby revealing information about the key (or inthe worst case, the key itself).

[0325] 3.8.2.13 Power Supply Attacks

[0326] Instead of creating a glitch in the clock signal, attackers canalso produce glitches in the power supply where the power is increasedor decreased to be outside the working operating voltage range. The neteffect is the same as a clock glitch—introduction of error in theexecution of a particular instruction. The idea is to stop the CPU fromXORing the key, or from shifting the data one bit-position etc. Specificinstructions are targeted so that information about the key is revealed.

[0327] 3.8.2.14 Overwriting ROM

[0328] Single bits in a ROM can be overwritten using a laser cuttermicroscope [1], to either 1 or 0 depending on the sense of the logic. Ifthe ROM contains instructions, it may be a simple matter for an attackerto change a conditional jump to a non-conditional jump, or perhapschange the destination of a register transfer. If the target instructionis chosen carefully, it may result in the key being revealed.

[0329] 3.8.2.15 Modifying EEPROM/Flash

[0330] These attacks fall into two categories:

[0331] those similar to the ROM attacks except that the laser cuttermicroscope technique can be used to both set and reset individual bits.This gives much greater scope in terms of modification of algorithms.

[0332] Electron beam programming of floating gates. As described in [87]and [32], a focused electron beam can change a gate by depositingelectrons onto it. Damage to the rest of the circuit can be avoided, asdescribed in [31]. This attack is potentially able to work againstmulti-level flash memory.

[0333] 3.8.2.16 Gate Destruction

[0334] Anderson and Kuhn described the rump session of the 1997 workshopon Fast Software Encryption [1], where Biham and Shamir presented anattack on DES. The attack was to use a laser cutter to destroy anindividual gate in the hardware implementation of a known block cipher(DES). The net effect of the attack was to force a particular bit of aregister to be “stuck”. Biham and Shamir described the effect of forcinga particular register to be affected in this way—the least significantbit of the output from the round function is set to 0. Comparing the 6least significant bits of the left half and the right half can recoverseveral bits of the key. Damaging a number of chips in this way canreveal enough information about the key to make complete key recoveryeasy.

[0335] An encryption chip modified in this way will have the propertythat encryption and decryption will no longer be inverses.

[0336] 3.8.2.17 Overwrite Attacks

[0337] Instead of trying to read the Flash memory, an attacker maysimply set a single bit by use of a laser cutter microscope. Althoughthe attacker doesn't know the previous value, they know the new value.If the chip still works, the bit's original state must be the same asthe new state. If the chip doesn't work any longer, the bit's originalstate must be the logical NOT of the current state. An attacker canperform this attack on each bit of the key and obtain the n-bit keyusing at most n chips (if the new bit matched the old bit, a new chip isnot required for determining the next bit).

[0338] 3.8.2.18 Test Circuitry Attack

[0339] Most chips contain test circuitry specifically designed to checkfor manufacturing defects. This includes BIST (Built In Self Test) andscan paths. Quite often the scan paths and test circuitry includesaccess and readout mechanisms for all the embedded latches. In somecases the test circuitry could potentially be used to give informationabout the contents of particular registers.

[0340] Test circuitry is often disabled once the chip has passed allmanufacturing tests, in some cases by blowing a specific connectionwithin the chip. A determined attacker, however, can reconnect the testcircuitry and hence enable it.

[0341] 3.8.2.19 Memory Remanence

[0342] Values remain in RAM long after the power has been removed [35],although they do not remain long enough to be considered non-volatile.An attacker can remove power once sensitive information has been movedinto RAM (for example working registers), and then attempt to read thevalue from RAM. This attack is most useful against security systems thathave regular RAM chips. A classic example is cited by [1], where asecurity system was designed with an automatic power-shut-off that istriggered when the computer case is opened. The attacker was able tosimply open the case, remove the RAM chips, and retrieve the key becausethe values persisted.

[0343] 3.8.2.20 Chip Theft Attack

[0344] If there are a number of stages in the lifetime of anauthentication chip, each of these stages must be examined in terms oframifications for security should chips be stolen. For example, ifinformation is programmed into the chip in stages, theft of a chipbetween stages may allow an attacker to have access to key informationor reduced efforts for attack. Similarly, if a chip is stolen directlyafter manufacture but before programming, does it give an attacker anylogical or physical advantage?

[0345] 3.8.2.21 Trojan Horse Attack

[0346] At some stage the authentication chips must be programmed with asecret key. Suppose an attacker builds a clone authentication chip andadds it to the pile of chips to be programmed. The attacker hasespecially built the clone chip so that it looks and behaves just like areal authentication chip, but will give the key out to the attacker whena special attacker-known command is issued to the chip. Of course theattacker must have access to the chip after the programming has takenplace, as well as physical access to add the Trojan horse authenticationchip to the genuine chips.

SUMMARY OF THE INVENTION

[0347] This invention is a validation protocol for determining whetheran untrusted authentication chip is valid, or not, including the stepsof:

[0348] Generating a secret random number and calculating a signature forthe random number using a signature function, in a trustedauthentication chip;

[0349] Encrypting the random number and the signature with a symmetricencryption function using a first key, in the trusted authenticationchip;

[0350] Passing the encrypted random number and signature from thetrusted authentication chip to an untrusted authentication chip;

[0351] Decrypting the encrypted random number and signature with asymmetric decryption function using the first key, in the untrustedauthentication chip;

[0352] Calculating a signature for the decrypted random number using thesignature function, in the untrusted authentication chip;

[0353] Comparing the signature calculated in the untrustedauthentication chip with the signature decrypted;

[0354] In the event that the two signatures match, encrypting thedecrypted random number by the symmetric encryption function using asecond key and returning it to the trusted authentication chip;

[0355] Encrypting the random number by the symmetric encryption functionusing the second key, in the trusted authentication chip;

[0356] Comparing the two random numbers encrypted using the second key,in the trusted authentication chip;

[0357] In the event that the two random numbers encrypted using thesecond key match, considering the untrusted authentication chip to bevalid;

[0358] Otherwise considering the untrusted authentication chip to beinvalid.

[0359] The two keys are held in both the trusted and untrustedauthentication chips, and must be kept secret.

[0360] The random number may be generated only in the trusted chip, itshould be secret and be seeded with a different initial value each time.A new random number may be generated after each successful validation.

[0361] The symmetric encrypt function may be held in both chips.

[0362] The symmetric decrypt function may be held only in the untrustedchip.

[0363] The signature function may be held in both chips to generatedigital signatures. The digital signature must be long enough to counterthe chances of someone generating a random signature. 160 bits is thepreferred size, giving someone 1 chance in 2¹⁶⁰ of generating a validsignature by random.

[0364] A prove function may be held only in the untrusted chip to testthe decrypted random number and signature. It may return the randomnumber encrypted with the second key if a signature calculated from thedecrypted random number matches the decrypted signature. Otherwise itmay return 0, which indicates the chip is invalid. The time taken toreturn 0 must be identical for all bad inputs. The time taken to returnthe random number encrypted with the second key must be the same for allgood inputs.

[0365] A test function may be held only in the trusted chip and it mayreturn 1 and advance the random number if the untrusted chip is valid.Otherwise it may return 0. The time taken to return 0 must be identicalfor all bad inputs. The time taken to return 1 must be identical for allgood inputs.

[0366] This protocol may be used to determine the physical presence of avalid authentication chip. In this case a system may call the trustedchip to generate a random number, then call the prove function in theuntrusted chip, and finally call the test function in the trusted chip.The untrusted chip may be associated with a consumable so thatvalidation of the untrusted chip authenticates the consumable.

[0367] The invention also concerns a validation system for performingthe method, including a trusted authentication chip and an untrustedauthentication chip.

[0368] The trusted authentication chip includes a random numbergenerator, a symmetric encryption function and two secret keys for thefunction, and a signature function.

[0369] The untrusted authentication chip includes a symmetric encryptionand decryption function and two secret keys for these functions, andsignature function, and a prove function to test data decrypted usingthe first key and to return data encrypted using the second key.

[0370] The remainder of the system may be software, hardware or acombination of both. However the trusted chip must be a physicalauthentication chip. Both chips may have the same internal structure, orthey may be different.

[0371] The invention has the following advantages:

[0372] The secret keys are not revealed during the authenticationprocess. The time varying random number is encrypted, so that it is notrevealed during the authentication process.

[0373] An attacker cannot build a table of values for the input andoutput of the encryption process. An attacker cannot call Prove withouta valid random number and signature pair encrypted with the first key.The second key is therefore resistant to a chosen text attack. Therandom number only advances with a validation, so the first key also notsusceptible to a chosen text attack.

[0374] The system is easy to design, especially in low cost systems suchas ink-jet printers, as no encryption or decryption is required outsideof the chips.

[0375] There are a number of well-documented and cryptanalyzed symmetricalgorithms to choose from for implementation, including patent-free andlicense-free solutions.

[0376] A wide range of signature functions exists, from messageauthentication codes to random number sequences to key-based symmetriccryptography. Signature functions and symmetric encryption algorithmsrequire fewer gates and are easier to verify than asymmetric algorithms.

[0377] Secure key size for symmetric encryption does not have to be aslarge as for an asymmetric (public key) algorithm. A minimum of 128 bitscan provide appropriate security for symmetric encryption.

[0378] In another aspect the invention is a validation system fordetermining whether an untrusted authentication chip is valid, thesystem including a trusted authentication chip and an untrustedauthentication chip. The trusted authentication chip includes a randomnumber generator, a symmetric encryption function and two keys for thefunction, a signature function and a test function. The untrustedauthentication chip includes a symmetric encryption and decryptionfunction and two keys for these functions, a signature function, and aprove function. The prove function operates to decrypt a random numberand signature encrypted using the first key by the trustedauthentication chip, and to calculate another signature from thedecrypted random number, for comparison with the decrypted one, and inthe event that the comparison is successful to encrypt the random numberwith the second key and send it back. The test function in the trustedchip then operates to generate an encrypted version of the random numberusing the second key and to compare it with the received version tovalidate the untrusted chip.

BRIEF DESCRIPTION OF THE DRAWINGS

[0379]FIG. 1 is a data flow diagram for single chip authentication.

[0380]FIG. 2 is a data flow diagram for double chip authentication.

[0381]FIG. 3 is a data flow diagram for Protocol P1.

[0382]FIG. 4 is a data flow diagram for Protocol P2.

[0383]FIG. 5 is a data flow diagram for Protocol P3.

[0384]FIG. 6 is a data flow diagram for read authentication usingProtocol C1.

[0385]FIG. 7 is a data flow diagram for read authentication usingProtocol C2.

[0386]FIG. 8 is a data flow diagram for read authentication usingProtocol C3.

[0387]FIG. 9 is a block diagram of a 160 -bit maximal-period LFSR randomnumber generator.

[0388]FIG. 10 is a block diagram of a clock filter.

[0389]FIG. 11 is a circuit diagram of a tamper detection line.

[0390]FIG. 12 is a layout diagram of an oversize NMOS transistor used astest transistors in the tamper detection line of FIG. 11.

[0391]FIG. 13 is a circuit diagram of part of the tamper detection lineof FIG. 11 including XOR gates between the two paths.

[0392]FIG. 14 is a circuit diagram of the normal FET implementation of aCMOS inverter.

[0393]FIG. 15 is voltage/current diagram for the transistors of the CMOSinverter of FIG. 14.

[0394]FIG. 16 is a circuit diagram of the FET implementation of anon-flashing CMOS inverter.

[0395]FIG. 17 is impedance diagram for the transistors of the CMOSinverter of FIG. 16.

BEST MODES OF THE INVENTION

[0396] 4 Requirements

[0397] Existing solutions to the problem of authenticating consumableshave typically relied on patents covering physical packaging. Howeverthis does not stop home refill operations or clone manufacture incountries with weak industrial property protection. Consequently a muchhigher level of protection is required.

[0398] The authentication mechanism is therefore built into anauthentication chip that is embedded in the consumable and allows asystem to authenticate that consumable securely and easily. Limitingourselves to the system authenticating consumables (we don't considerthe consumable authenticating the system), two levels of protection canbe considered:

[0399] Presence Only Authentication:

[0400] This is where only the presence of an authentication chip istested. The authentication chip can be removed and used in otherconsumables as long as be used indefinitely.

[0401] Consumable Lifetime Authentication:

[0402] This is where not only is the presence of the authentication chiptested for, but also the authentication chip must only last the lifetimeof the consumable. For the chip to be re-used it must be completelyerased and reprogrammed.

[0403] The two levels of protection address different requirements. Weare primarily concerned with Consumable Lifetime authentication in orderto prevent cloned versions of high volume consumables. In this case,each chip should hold secure state information about the consumablebeing authenticated. It should be noted that a Consumable Lifetimeauthentication chip could be used in any situation requiring a PresenceOnly authentication chip.

[0404] Requirements for authentication, data storage integrity andmanufacture are considered separately. The following sections summarizerequirements of each.

[0405] 4.1 Authentication

[0406] The authentication requirements for both Presence Only andConsumable Lifetime authentication are restricted to the case of asystem authenticating a consumable. We do not consider bi-directionalauthentication where the consumable also authenticates the system. Forexample, it is not necessary for a valid toner cartridge to ensure it isbeing used in a valid photocopier.

[0407] For Presence Only authentication, we must be assured that anauthentication chip is physically present. For Consumable Lifetimeauthentication we also need to be assured that state data actually camefrom the authentication chip, and that it has not been altered en route.These issues cannot be separated—data that has been altered has a newsource, and if the source cannot be determined, the question ofalteration cannot be settled.

[0408] It is not enough to provide an authentication method that issecret, relying on a home-brew security method that has not beenscrutinized by security experts. The primary requirement therefore is toprovide authentication by means that have withstood the scrutiny ofexperts.

[0409] The authentication scheme used by the authentication chip shouldbe resistant to defeat by logical means. Logical types of attack areextensive, and attempt to do one of three things:

[0410] Bypass the authentication process altogether

[0411] Obtain the secret key by force or deduction, so that any questioncan be answered

[0412] Find enough about the nature of the authenticating questions andanswers in order to, without the key, give the right answer to eachquestion.

[0413] The logical attack styles and the forms they take are detailed inSection 3.8.1.

[0414] The algorithm should have a flat keyspace, allowing any randombit string of the required length to be a possible key. There should beno weak keys.

[0415] The examination of a solution to the requirement ofauthentication is examined in Section 5.

[0416]4.2 Data Storage Integrity

[0417] Although authentication protocols take care of ensuring dataintegrity in communicated messages, data storage integrity is alsorequired. Two kinds of data must be stored within the authenticationchip:

[0418] Authentication data, such as secret keys

[0419] Consumable state data, such as serial numbers, and mediaremaining etc.

[0420] The access requirements of these two data types differ greatly.The authentication chip therefore requires a storage/access controlmechanism that allows for the integrity requirements of each type.

[0421] The examination of a solution to the requirement of data storageintegrity is examined in Section 7, although the requirements of the twokinds of data are examined briefly here.

[0422] 4.2.1 Authentication Data

[0423] Authentication data must remain confidential. It needs to bestored in the chip during a manufacturing/programming stage of thechip's life, but from then on must not be permitted to leave the chip.It must be resistant to being read from non-volatile memory. Theauthentication scheme is responsible for ensuring the key cannot beobtained by deduction, and the manufacturing process is responsible forensuring that the key cannot be obtained by physical means.

[0424] The size of the authentication data memory area must be largeenough to hold the necessary keys and secret information as mandated bythe authentication protocols.

[0425] 4.2.2 Consumable State Data

[0426] Consumable state data can be divided into the following types.Depending on the application, there will be different numbers of each ofthese types of data items.

[0427] Read Only

[0428] ReadWrite

[0429] Decrement Only

[0430] Read Only data needs to be stored in the chip during amanufacturing/programming stage of the chip's life, but from then onshould not be allowed to change. Examples of Read Only data items areconsumable batch numbers and serial numbers.

[0431] ReadWrite data is changeable state information, for example, thelast time the particular consumable was used. ReadWrite data items canbe read and written an unlimited number of times during the lifetime ofthe consumable. They can be used to store any state information aboutthe consumable. The only requirement for this data is that it needs tobe kept in non-volatile memory. Since an attacker can obtain access to asystem (which can write to ReadWrite data), any attacker can potentiallychange data fields of this type. This data type should not be used forsecret information, and must be considered insecure.

[0432] Decrement Only data is used to count down the availability ofconsumable resources. A photocopier's toner cartridge, for example, maystore the amount of toner remaining as a Decrement Only data item. Anink cartridge for a color printer may store the amount of each ink coloras a Decrement Only data item, requiring three (one for each of Cyan,Magenta, and Yellow), or even as many as five or six Decrement Only dataitems. The requirement for this kind of data item is that onceprogrammed with an initial value at the manufacturing/programming stage,it can only reduce in value. Once it reaches the minimum value, itcannot decrement any further. The Decrement Only data item is onlyrequired by Consumable Lifetime authentication.

[0433] Note that the size of the consumable state data storage requiredis only for that information required to be authenticated. Informationwhich would be of no use to an attacker, such as ink color-curvecharacteristics or ink viscosity do not have to be stored in the securestate data memory area of the authentication chip.

[0434] 4.3 Manufacture

[0435] The authentication chip must have a low manufacturing cost inorder to be included as the authentication mechanism for low costconsumables.

[0436] The authentication chip should use a standard manufacturingprocess, such as Flash. This is necessary to:

[0437] Allow a great range of manufacturing location options

[0438] Use well-defined and well-behaved technology

[0439] Reduce cost

[0440] Regardless of the authentication scheme used, the circuitry ofthe authentication part of the chip must be resistant to physicalattack. Physical attack comes in four main ways, although the form ofthe attack can vary:

[0441] Bypassing the authentication chip altogether

[0442] Physical examination of chip while in operation (destructive andnon-destructive)

[0443] Physical decomposition of chip

[0444] Physical alteration of chip

[0445] The physical attack styles and the forms they take are detailedin Section 3.8.2.

[0446] Ideally, the chip should be exportable from the USA, so it shouldnot be possible to use an authentication chip as a secure encryptiondevice. This is low priority requirement since there are many companiesin other countries able to manufacture the authentication chips. In anycase, the export restrictions from the USA may change.

[0447] The examination of a solution to the requirement of manufactureis examined in Section 10.

[0448] 5 Authentication

[0449] Existing solutions to the problem of authenticating consumableshave typically relied on physical patents on packaging. However thisdoes not stop home refill operations or clone manufacture in countrieswith weak industrial property protection. Consequently a much higherlevel of protection is required.

[0450] It is not enough to provide an authentication method that issecret, relying on a home-brew security method that has not beenscrutinized by security experts. Security systems such as Netscape'soriginal proprietary system and the GSM Fraud Prevention Network used bycellular phones are examples where design secrecy caused thevulnerability of the security [33][91]. Both security systems werebroken by conventional means that would have been detected if thecompanies had followed an open design process. The solution is toprovide authentication by means that have withstood the scrutiny ofexperts.

[0451] In this part, we examine a number of protocols that can be usedfor consumables authentication, together with a high level look at theadvantages and disadvantages of each particular scheme. We only usesecurity methods that are publicly described, using known behaviors inthis new way. Readers should be familiar with the concepts and termsdescribed in Section 3. We avoid the Zero Knowledge Proof protocol.

[0452] For all protocols, the security of the scheme relies on a secretkey, not a secret algorithm. The best way to protect against reverseengineering of any authentication chip is to make the algorithmic innerworkings irrelevant (the algorithm of the inner workings must still bemust be valid, but not the actual secret).

[0453] All the protocols rely on a time-variant challenge (i.e. thechallenge is different each time), where the response depends on thechallenge and the secret. The challenge involves a random number so thatany observer will not be able to gather useful information about asubsequent identification.

[0454] Three protocols are presented for each of Presence Only andConsumable Lifetime authentication. Although the protocols differ in thenumber of authentication chips required for the authentication process,in all cases the system authenticates the consumable. Certain protocolswill work with either one or two chips, while other protocols only workwith two chips. Whether one chip or two authentication chips are usedthe system is still responsible for making the authentication decision.

[0455] 5.0.1 Single Chip Authentication

[0456] When only one authentication chip is used for the authenticationprotocol, a single chip 10 (referred to as ChipA) is responsible forproving to a system 11 (referred to as System) that it is authentic. Atthe start of the protocol, System 11 is unsure of ChipA's authenticity.System 11 undertakes a challenge-response protocol with ChipA 10, andthus determines ChipA's authenticity. In all protocols the authenticityof the consumable 12 is directly based on the authenticity of the chipassociated with it, i.e. if ChipA 10 is considered authentic, then theconsumable 12, in which chip 10 is placed, is considered authentic. Thedata flow can be seen in FIG. 1, and involves a challenge 13 issued fromthe system, and a response 14 returned by the chip 10.

[0457] In single chip authentication protocols, System 11 can besoftware, hardware or a combination of both. It is important to notethat System 11 is considered insecure—it can be easily reverseengineered by an attacker, either by examining the ROM or by examiningcircuitry. System is not specially engineered to be secure in itself.

[0458] 5.0.2 Double Chip Authentication

[0459] In other protocols, two authentication chips are required. Asingle chip 20 (referred to as ChipA) is responsible for proving to asystem 21 (referred to as System) that it is authentic. ChipA 20 isassociated with the consumable 22. As part of the authenticationprocess, System 21 makes use of a trusted authentication chip 23(referred to as ChipT).

[0460] In double chip authentication protocols, System 21 can besoftware, hardware or a combination of both. However ChipT 23 must be aphysical authentication chip. In some protocols ChipT 23 and ChipA 20have the same internal structure, while in others ChipT 23 and ChipA 20have different internal structures. The data flow can be seen in FIG. 2,and can be seen to involve a challenge 24 from system 21 to chipA 20 anda request 25 from system 21 to chipT 23, and a response 26 from chipA 20to system 21 and information 27 from chipT 23 to system 21.

[0461]5.1 Presence Only Authentication (Insecure State Data)

[0462] For this level of consumable authentication we are only concernedabout validating the presence of the authentication chip. Although theauthentication chip can contain state information, the transmission ofthat state information would not be considered secure.

[0463] Three protocols are presented. Protocols P1 and P3 require twoauthentication chips, while Protocol P2 can be implemented using eitherone or two authentication chips.

[0464] 5.1.1 Protocol P1

[0465] Protocol P1 is a double chip protocol (two authentication chipsare required). Each authentication chip contains the following values:

[0466] K Key for F_(K)[X]. Must be secret.

[0467] R Current random number. Does not have to be secret, but must beseeded with a different initial value for each chip instance. Changeswith each invocation of the Random function.

[0468] Each authentication chip contains the following logicalfunctions:

[0469] Random[ ]Returns R, and advances R to next in sequence.

[0470] S[X] Returns S_(K)[X], the result of applying a digital signaturefunction S to X based upon the secret key K. The digital signature mustbe long enough to counter the chances of someone generating a randomsignature. The length depends on the signature scheme chosen (seebelow).

[0471] The protocol is as follows:

[0472] 1. System 21 requests 30 Random[ ] from ChipT 23;

[0473] 2. ChipT 23 returns 31 R to System 21;

[0474] 3. System 21 requests 32 S[R] from ChipT 23 and also requests 33it from ChipA 20;

[0475] 4. ChipT 23 returns 34 S_(KT)[R] to System 21;

[0476] 5. ChipA 20 returns 35 S_(KA)[R] to System 21;

[0477] 6. System compares S_(KT)[R] with S_(KA)[R]. If they are equal,then ChipA is considered valid. If not, then ChipA is consideredinvalid.

[0478] The data flow can be seen in FIG. 3:

[0479] Note that System 21 does not have to comprehend S_(K)[R]messages. It must merely check that the responses from ChipA and ChipTare the same. The System 21 therefore does not require the key.

[0480] The security of Protocol P1 lies in two places:

[0481] The security of S[X]. Only authentication chips contain thesecret key, so anything that can produce a digital signature S[X] froman X that matches the S[X] generated by a trusted authentication chip(ChipT) must be authentic.

[0482] The domain of R generated by all authentication chips must belarge and non-deterministic. If the domain of R generated by allauthentication chips is small, then there is no need for a clonemanufacturer to crack the key. Instead, the clone manufacturer couldincorporate a ROM in their chip that had a record of all of theresponses from a genuine chip to the codes sent by the system. TheRandom function does not strictly have to be in the authentication chip,since System can potentially generate the same random number sequence.However it simplifies the design of System and ensures the security ofthe random number generator will be the same for all implementationsthat use the authentication chip, reducing possible error in systemimplementation.

[0483] Protocol P1 has several advantages:

[0484] K is not revealed during the authentication process

[0485] Given X, a clone chip cannot generate S_(K)[X] without K oraccess to a real authentication Chip.

[0486] System is easy to design, especially in low cost systems such asink-jet printers, as no encryption or decryption is required by Systemitself.

[0487] A wide range of keyed signature functions exists, includingsymmetric cryptography, random number sequences, and messageauthentication codes.

[0488] Keyed signature functions (such as one-way functions) requirefewer gates and are easier to verify than asymmetric algorithms).

[0489] Secure key size for a keyed signature functions does not have tobe as large as for an asymmetric (public key) algorithm. A key length of128 bits provides adequate security if S is a symmetric cryptographicfunction, while a key length of 160 bits provides adequate security if Sis HMAC-SHA1.

[0490] However there are problems with this protocol:

[0491] It is susceptible to chosen text attack. An attacker can plug thechip into their own system, generate chosen Rs, and observe the output.In order to find the key, an attacker can also search for an R that willgenerate a specific S[R] since multiple authentication chips can betested in parallel.

[0492] Depending on the one-way function chosen, key generation can becomplicated. The method of selecting a good key depends on the algorithmbeing used. Certain keys are weak for a given algorithm.

[0493] The choice of the keyed one-way functions itself is non-trivial.Some require licensing due to patent protection.

[0494] A man-in-the middle could take action on the plaintext message Rbefore passing it on to ChipA—it would be preferable if theman-in-the-middle did not see R until after ChipA had seen it. It wouldbe even more preferable if a man-in-the-middle didn't see R at all.

[0495] If S is symmetric encryption, because of the 128-bit key sizeneeded for adequate security, the chips could not be exported from theUSA since they could be used as strong encryption devices.

[0496] If Protocol P1 is implemented with S as an asymmetric encryptionalgorithm, there is no advantage over the symmetric case—the keys needsto be longer and the encryption algorithm is more expensive in silicon.

[0497] Protocol P1 must be implemented with two authentication chips inorder to keep the key secure. This means that each System requires anauthentication chip and each consumable requires an authentication chip.

[0498] 5.1.2 Protocol P2

[0499] In some cases, System may contain a large amount of processingpower. Alternatively, for instances of systems that are manufactured inlarge quantities, integration of ChipT into System may be desirable. Useof an asymmetrical encryption algorithm allows the ChipT portion ofSystem to be insecure. Protocol P2 therefore, uses asymmetriccryptography.

[0500] For this protocol, each chip contains the following values:

[0501] K_(T) ChipT only. Public key for encrypting. Does not have to besecret.

[0502] K_(A) ChipA only. Private key for decrypting. Must be secret.

[0503] R ChipT only. Current random number. Does not have to be secret,but must be seeded with a different initial value for each chipinstance. Changes with each invocation of the Random function.

[0504] The following functions are defined:

[0505] E[X] ChipT only. Returns E_(KT)[X] where E is asymmetric encryptfunction E.

[0506] D[X] ChipA only. Returns D_(KA)[X] where D is asymmetric decryptfunction D.

[0507] Random[ ] ChipT only. Returns R|E_(K)[R]. Advances R to next inrandom number sequence.

[0508] The public key K_(T) is in ChipT 23, while the secret key K_(A)is in ChipA 20. Having K_(T) in ChipT 23 has the advantage that ChipTcan be implemented in software or hardware (with the proviso that theseed for R is different for each chip or system). Protocol P2 thereforecan be implemented as a Single Chip Protocol or as a Double ChipProtocol.

[0509] The protocol for authentication is as follows:

[0510] 1. System 21 calls 40 ChipT's Random function;

[0511] 2. ChipT 23 returns 41 R|E_(KT)[R] to System 21.;

[0512] 3. System 21 calls 42 ChipA's D function, passing in E_(KT)[R];

[0513] 4. ChipA 20 returns 43 R, obtained by D_(KA)[E_(KT)[R]];

[0514] 5. System 21 compares R from ChipA 20 to the original R generatedby ChipT 23. If they are equal, then ChipA 20 is considered valid. Ifnot, ChipA 20 is invalid.

[0515] The data flow can be seen in FIG. 4:

[0516] Protocol P2 has the following advantages:

[0517] K_(A) (the secret key) is not revealed during the authenticationprocess

[0518] Given E_(KT)[X], a clone chip cannot generate X without K_(A) oraccess to a real ChipA.

[0519] Since K_(T)±K_(A), ChipT can be implemented completely insoftware or in insecure hardware, or as part of System. Only ChipA (inthe consumable) is required to be a secure authentication chip.

[0520] If ChipT is a physical chip, System is easy to design.

[0521] There are a number of well-documented and cryptanalyzedasymmetric algorithms to chose from for implementation, includingpatent-free and license-free solutions.

[0522] However, Protocol P2 has a number of its own problems:

[0523] For satisfactory security, each key needs to be 2048 bits(compared to minimum 128 bits for symmetric cryptography in ProtocolP1). The associated intermediate memory used by the encryption anddecryption algorithms is correspondingly larger.

[0524] Key generation is non-trivial. Random numbers are not good keys.

[0525] If ChipT is implemented as a core, there may be difficulties inlinking it into a given System ASIC.

[0526] If ChipT is implemented as software, not only is theimplementation of System open to programming error and non-rigoroustesting, but the integrity of the compiler and mathematics primitivesmust be rigorously checked for each implementation of System. This ismore complicated and costly than simply using a well-tested chip.

[0527] Although many asymmetric algorithms are specifically strengthenedto be resistant to differential cryptanalysis (which is based on chosentext attacks), the private key K_(A) is susceptible to a chosen textattack

[0528] It would be preferable to keep R hidden, but since K_(T) and infact all of ChipT is public, R must be public as well.

[0529] If ChipA and ChipT are instances of the same authentication chip,each chip must contain both asymmetric encrypt and decryptfunctionality. Consequently each chip is larger, more complex, and moreexpensive than the chip required for Protocol P1.

[0530] If the authentication chip is broken into two chips to save costand reduce complexity of design/test, two chips still need to bemanufactured, reducing the economies of scale. This is offset by therelative numbers of systems to consumables, but must still be taken intoaccount.

[0531] Protocol P2 authentication chips could not be exported from theUSA, since they would be considered strong encryption devices.

[0532] 5.1.3 Protocol P3

[0533] Protocol P3 attempts to solve one of the problems inherent inProtocols P1 and P2 in that pairs of X, F_(K)[X] can be gathered by theattacker (where F is S or E). Protocol P1 is worse in that it is open toa chosen text attack. It is therefore desirable to pass the chosenrandom number R from ChipT to ChipA without the intermediate Systemknowing the value of R. Protocol P2 cannot do this since ChipT is publicand hence R is not secret. In addition, since R is random, it is notenough to simply pass an encrypted version of R to ChipA, since a randomsequence of bits could be substituted for a different random sequence ofbits by the attacker.

[0534] The solution is to encrypt both R and R's digital signature sothat ChipA can test if R was in fact generated by ChipT. Since we don'twant to reveal R, P3 must be a Double Chip Protocol (ChipT cannot beincorporated into a software System or be included as an ASIC core).Symmetric encryption can therefore be safely used.

[0535] Protocol P3 therefore uses 2 sets of keys. The first key is usedin ChipT to encrypt R and the signature of R. The encrypted R is sent toChipA where R is extracted and verified by ChipA. If the R is valid,ChipA encrypts R using the second key, and outputs the result. TheSystem sends the output from ChipA back to ChipT where it is comparedagainst the known R encrypted with the second key.

[0536] For this protocol, each chip contains the following values:

[0537] K₁ Key for encrypting in ChipT and decrypting in ChipA. Must besecret.

[0538] K₂ Key for encrypting in ChipA and ChipT. Must be secret.

[0539] R Current random number. Must be secret and must be seeded with adifferent initial value for each chip instance. Changes with eachsuccessful call to the Test function.

[0540] The following functions are defined:

[0541] E[X] Internal function only. Returns E_(K)[X] where E issymmetric encrypt function E.

[0542] D[X] Internal function ChipA only. Returns D_(K)[X] where D issymmetric decrypt function D.

[0543] S[X] Internal function only. Returns S[X], the digital signaturefor X. The digital signature must be long enough to counter the chancesof someone generating a random signature. 160 bits is the preferredsize, giving someone 1 chance in 2¹⁶⁰ of generating a valid signature byrandom.

[0544] Random[ ] ChipT only. Returns E_(K1)[R|S[R]].

[0545] Test[X] ChipT only. Returns 1 and advances R if E_(K2)[R]=X.Otherwise returns 0. The time taken to return 0 must be identical forall bad inputs. The time taken to return 1 must be identical for allgood inputs.

[0546] Prove[X] ChipA only. Calculates Y|Z from D_(K1)[X]. ReturnsE_(K2)[Y] if S[Y]=Z. Otherwise returns 0. The time taken to return 0must be identical for all bad inputs. The time taken to return E_(K2)[Y]must be the same for all good inputs.

[0547] The protocol for authentication is as follows:

[0548] 1. System 21 calls 50 ChipT's Random function;

[0549] 2. ChipT 23 returns 51 E_(K1)[R|S[R]] to System 21;

[0550] 3. System 21 calls ChipA's Prove function, passing inE_(K1)[R|S[R]];

[0551] 4. ChipA 20 decrypts E_(K1)[R|S[R]], and calculates its own S[R]based upon the decrypted R. If the two match, ChipA returns 53E_(K2)[R]. Otherwise ChipA returns 0;

[0552] 5. System 21 calls 54 ChipT's Test function, passing in thereturned E_(K2)[R]. ChipT 23 generates its own E_(K2)[R] and compares itagainst the input value. If they are equal, then ChipA is consideredvalid and a 1 is returned 55 to System 21. If not, ChipA 20 isconsidered invalid and 0 is returned to System 21.

[0553] The data flow can be seen in FIG. 5:

[0554] Protocol P3 has the following advantages:

[0555] K₁ and K₂ (the secret keys) are not revealed during theauthentication process

[0556] The time varying challenge R is encrypted, so that it is notrevealed during the authentication process. An attacker cannot build atable of X, E_(K)[X] values for K₁ or K₂.

[0557] An attacker cannot call Prove without a valid R|S[R] pairencrypted with K₁. K₂ is therefore resistant to a chosen text attack. Ronly advances with a valid call to Test, so K₁ also not susceptible to achosen text attack.

[0558] System is easy to design, especially in low cost systems such asink-jet printers, as no encryption or decryption is required by Systemitself.

[0559] There are a number of well-documented and cryptanalyzed symmetricalgorithms to chose from for implementation of E, including patent-freeand license-free solutions.

[0560] A wide range of signature functions exists, from messageauthentication codes to random number sequences to key-based symmetriccryptography.

[0561] Signature functions and symmetric encryption algorithms requirefewer gates and are easier to verify than asymmetric algorithms.

[0562] Secure key size for symmetric encryption does not have to be aslarge as for an asymmetric (public key) algorithm. A minimum of 128 bitscan provide appropriate security for symmetric encryption.

[0563] However, Protocol P3 has a number of its own problems:

[0564] Although there are a large number of available functions for Eand S, the choice of E and S is non-trivial. Some require licensing dueto patent protection.

[0565] Depending on the chosen encryption algorithm, key generation canbe complicated. The method of selecting a good key depends on thealgorithm being used. Certain keys are weak for a given algorithm.

[0566] If ChipA and ChipT are instances of the same authentication chip,each chip must contain both symmetric encrypt and decrypt functionality.Consequently each chip is larger, more complex, and more expensive thanthe chip required for Protocol P1 which only has encrypt functionality.

[0567] If the authentication chip is broken into 2 chips to save costand reduce complexity of design/test, two chips still need to bemanufactured, reducing the economies of scale. Unfortunately, ChipA mustcontain both encrypt and decrypt, making the consumable authenticationchip the larger of the two chips. Both chips must also contain signaturefunctions, making them more complex than the chip required for ProtocolP1.

[0568] Protocol P3 authentication chips could not be exported from theUSA, since they would be considered strong encryption devices.

[0569] 5.1.4 Additional Notes

[0570] 5.1.4.1 General Comments

[0571] Protocol P3 is the most secure of the three Presence Onlyauthentication protocols, since nothing is revealed about the challengefrom the response. However, Protocol P3 requires implementation ofencryption, decryption and signature functions, making it more expensivein silicon than Protocol P1. In addition, export regulations imposed bythe United States make this protocol problematic.

[0572] With Protocol P2, even if the process of choosing a key wasstraightforward, Protocol P2 is impractical at the present time due tothe high cost of silicon implementation (both key size and functionalimplementation).

[0573] Protocol P1 is therefore the current protocol of choice forPresence Only authentication. Eventually, as silicon costs come downwith Moore's Law, and USA export regulations are relaxed, Protocol P3will be preferable to Protocol P1 . When silicon costs are negligible ortight integration is required, Protocol P2 may be preferable to ProtocolP1 , but the security protocol of choice would still remain Protocol P3.

[0574] 5.1.4.2 Clone Consumable using Real Authentication Chip

[0575] Protocols P1, P2 and P3 only check that ChipA is a realauthentication chip. They do not check to see if the consumable 22itself is valid. The fundamental assumption for authentication is thatif ChipA is valid, the consumable is valid.

[0576] It is therefore possible for a clone manufacturer to insert areal authentication chip into a clone consumable. There are two cases toconsider:

[0577] In cases where state data is not written to the authenticationchip, the chip is completely reusable. Clone manufacturers couldtherefore recycle a valid consumable into a clone consumable. This maybe made more difficult by melding the authentication chip into theconsumable's physical packaging, but it would not stop refill operators.

[0578] In cases where state data is written to the authentication chip,the chip may be new, partially used up, or completely used up. Howeverthis does not stop a clone manufacturer from using the piggyback attack,where the clone manufacturer builds a chip that has a realauthentication chip as a piggyback. The attacker's chip (ChipE) istherefore a man-in-the-middle. At power up, ChipE reads all the memorystate values from the real authentication chip into its own memory.ChipE then examines requests from System, and takes different actionsdepending on the request. Authentication requests can be passed directlyto the real authentication chip, while read/write requests can besimulated by a memory that resembles real authentication chip behavior.In this way the authentication chip will always appear fresh atpower-up. ChipE can do this because the data access is notauthenticated.

[0579] Note that in both these cases, in order to fool System intothinking its data accesses were successful, ChipE still requires a realauthentication chip, and in the second case, a clone chip is required inaddition to a real authentication chip. Consequently any of theseprotocols can be useful in situations where it is not cost effective fora clone manufacturer to embed a real authentication chip into theconsumable.

[0580] If the consumable cannot be recycled or refilled easily, it maybe protection enough to use a Presence Only authentication protocol. Fora clone operation to be successful each clone consumable must include avalid authentication chip. The chips would have to be stolen en masse,or taken from old consumables. The quantity of these reclaimed chips (aswell as the effort in reclaiming them) should not be enough to base abusiness on, so the added protection of secure data transfer (seeProtocols C1-C3) may not be useful.

[0581] 5.1.4.3 Longevity of Key

[0582] A general problem of these two protocols is that once theauthentication key is chosen, it cannot easily be changed. The effectdepends on the application of the key. In some instances, if the key iscompromised, the results are disastrous. In other cases, it is only aminor inconvenience.

[0583] For example, in a car/car-key System/Consumable scenario, thecustomer has only one set of car/car-keys. Each car has a differentauthentication key. Consequently the loss of a car-key only compromisesthe individual car. If the owner considers this a problem, they must geta new lock on the car by replacing the System chip inside the car'selectronics. The owner's keys must be reprogrammed/replaced to work withthe new car System authentication chip.

[0584] By contrast, a compromise of a key for a high volume consumablemarket (for example ink cartridges in printers) would allow a clone inkcartridge manufacturer to make their own authentication chips. The onlysolution for existing systems is to update the System authenticationchips, which is a costly and logistically difficult exercise. In anycase, consumers' Systems already work—they have no incentive to hobbletheir existing equipment.

[0585] 5.2 Consumable Lifetime Authentication

[0586] In this level of consumable authentication we are concerned withvalidating the existence of the authentication chip, as well as ensuringthat the authentication chip lasts only as long as the consumable. Inaddition to validating that an authentication chip is present, writesand reads of the authentication chip's memory space must beauthenticated as well. In this section we assume that the authenticationchip's data storage integrity is secure—certain parts of memory are ReadOnly, others are Read/Write, while others are Decrement Only (seeSection 7 for more information).

[0587] Three protocols are presented. Protocols C1 and C3 requires twoauthentication chips, while Protocol C2 can be implemented using eitherone or two authentication chips.

[0588] 5.2.1 Protocol C1

[0589] This protocol is a double chip protocol (two authentication chipsare required). For this protocol, each authentication chip contains thefollowing values:

[0590] K₁ Key for calculating F_(K1)[X]. Must be secret.

[0591] K₂ Key for calculating F_(K2)[X]. Must be secret.

[0592] R Current random number. Does not have to be secret, but must beseeded with a different initial value for each chip instance. Changeswith each successful authentication as defined by the Test function.

[0593] M Memory vector of authentication chip. Part of this space shouldbe different for each chip (does not have to be a random number).

[0594] Each authentication chip contains the following logicalfunctions:

[0595] S[X] Internal function only. Returns S_(K)[X], the result ofapplying a digital signature function S to X based upon either secretkey K₁ or K₂. The digital signature must be long enough to counter thechances of someone generating a random signature. The length depends onthe signature scheme chosen (see below).

[0596] Random[ ] Returns R|S_(K1)[R].

[0597] Test[X, Y] Returns 1 and advances R if S_(K2)[R|X]=Y. Otherwisereturns 0. The time taken to return 0 must be identical for all badinputs. The time taken to return 1 must be identical for all goodinputs.

[0598] Read[X, Y] Returns M|S_(K2)[X|M] if S_(K1)[X]=Y. Otherwisereturns 0. The time taken to return 0 must be identical for all badinputs. The time taken to return M|S_(K2)[X|M] must be identical for allgood inputs.

[0599] Write[X] Writes X over those parts of M that can legitimately bewritten over.

[0600] To authenticate ChipA 20 and read ChipA's memory M:

[0601] 1. System 21 calls 60 ChipT's Random function;

[0602] 2. ChipT 23 produces R|S_(K1)[R] and returns 61 these to System;

[0603] 3. System 21 calls 62 ChipA's Read function, passing in R,S_(K1)[R];

[0604] 4. ChipA 20 returns 63 M and S_(K2)[R|M];

[0605] 5. System 21 calls 64 ChipT's Test function, passing in M andS_(K2)[R|M];

[0606] 6. System 21 checks response 65 from ChipT 23. If the response 65is 1, then ChipA 20 is considered authentic. If 0, ChipA 20 isconsidered invalid.

[0607] To authenticate a write of M_(new) to ChipA's memory M:

[0608] 1. System calls ChipA's Write function, passing in M_(new);

[0609] 2. The authentication procedure for a Read is carried out;

[0610] 3. If ChipA is authentic and M_(new)=M, the write succeeded.Otherwise it failed.

[0611] The data flow for read authentication is shown in FIG. 6.

[0612] The first thing to note about Protocol C1 is that S_(K)[X] cannotbe called directly. Instead S_(K)[X] is called indirectly by Random,Test and Read:

[0613] Random[ ] calls S_(K1)[X] X is not chosen by the caller. It ischosen by the Random function. An attacker must perform a brute forcesearch using multiple calls to Random, Read, and Test to obtain adesired X, S_(K1)[X] pair.

[0614] Test[X, Y] calls S_(K2)[R|X] Does not return result directly, butcompares the result to Y and then returns 1 or 0. Any attempt to deduceK₂ by calling Test multiple times trying different values of S_(K2)[R|X]for a given X is reduced to a brute force search where R cannot even bechosen by the attacker.

[0615] Read[X, Y] calls S_(K1)[X] X and S_(K1)[X] must be supplied bycaller, so the caller must already know the X, S_(K1)[X] pair. Since thecall returns 0 if Y±S_(K1)[X], an attacker is able to use the Readfunction for a brute force attack on K₁.

[0616] Read[X, Y] calls S_(K2)[M], X is supplied by caller. However Xcan only be those values already given out by the Random function (sinceX and Y are validated via K₁). Thus a chosen text attack must firstcollect pairs from Random (effectively a brute force attack). Inaddition, only part of M can be used in a chosen text attack since someof M is constant (read-only) and the decrement-only part of M can onlybe used once per consumable. In the next consumable the read-only partof M will be different.

[0617] Having S_(K)[X] being called indirectly prevents chosen textattacks on the authentication chip. Since an attacker can only obtain achosen R, S_(K1)[R] pair by calling Random, Read, and Test multipletimes until the desired R appears, a brute force attack on K₁ isrequired in order to perform a limited chosen text attack on K₂. Anyattempt at a chosen text attack on K₂ would be limited since the textcannot be completely chosen: parts of M are read-only, yet different foreach authentication chip.

[0618] The second thing to note is that two keys are used. Given thesmall size of M (256 bits), two different keys K₁ and K₂ are used inorder to ensure there is no correlation between S_(K1)[R] and S_(K2)[R|lM]. K₁ is therefore used to help protect K₂ against differentialattacks. It is not enough to use a single longer key since in practice,S is likely to have limitations on key length (for example, if S isHMAC-SHA1, the key length is a maximum of 160 bits. Adding more bits tothe key adds no protection). It is therefore safer to protect K₂ fromdifferential attacks with K₁. Otherwise it is potentially possible thatan attacker via some as-yet undiscovered technique, could determine theeffect of the limited changes in M to particular bit combinations in Rand thus calculate S_(K2)[X|M] based on S_(K1)[X].

[0619] As an added precaution, the Random and Test functions in ChipAshould be disabled so that in order to generate R, S_(K1)[R] pairs, anattacker must use instances of ChipT, each of which is more expensivethan ChipA (since a system must be obtained for each ChipT). Similarly,there should be a minimum delay between calls to Random, Read and Testso that an attacker cannot call these functions at high speed. Thus eachchip can only give a specific number of R, S_(K1)[R] pairs away in acertain time period. For more information, see Section 7.

[0620] The only specific timing requirement of Protocol C1 is that thetiming for good inputs must be the same regardless of the input value,and the return value of 0 (indicating a bad input) must be produced inthe same amount of time regardless of where the error is in the input.Attackers can therefore not learn anything about what was bad about theinput value. This is true for both Read and Test functions.

[0621] Another thing to note about Protocol C1 is that reading data fromChipA also requires authentication of ChipA. The System can be sure thatthe contents of memory (M) is what ChipA claims it to be if S_(K2)[R|M]is returned correctly. A clone chip may pretend that M is a certainvalue (for example it may pretend that the consumable is full), but itcannot return S_(K2)[R|l M] for any R passed in by System. Thus theeffective signature S_(K2)[R|l M] assures System that not only did anauthentic ChipA send M, but also that M was not altered in between ChipAand System.

[0622] Finally, the Write function as defined does not authenticate theWrite. To authenticate a write, the System must perform a Read aftereach Write.

[0623] There are some basic advantages with Protocol C1:

[0624] K₁ and K₂ are not revealed during the authentication process

[0625] Given X, a clone chip cannot generate S_(K2)[X|M] without the keyor access to a real authentication chip.

[0626] System is easy to design, especially in low cost systems such asink-jet printers, as no encryption or decryption is required by Systemitself.

[0627] A wide range of key based signature exists, including symmetriccryptography, random number sequences, and message authentication codes.

[0628] Keyed signature and one-way functions require fewer gates and areeasier to verify than asymmetric algorithms).

[0629] Secure key size for a keyed signature function does not have tobe as large as for an asymmetric (public key) algorithm. A minimum keysize of 128 bits provides appropriate security if S is a symmetriccryptographic function, while 160 bits provides adequate security if Sis HMAC-SHA1.

[0630] Consequently, with Protocol C1, the only way to authenticateChipA is to read the contents of ChipA's memory.

[0631] The security of this protocol depends on the underlying S_(K)[X]scheme and the domain of R over the set of all Systems.

[0632] Although S_(K)[X] can be any keyed signature function, there isno advantage to implement it as asymmetric encryption. The keys forasymmetric algorithms need to be longer and the encryption algorithm ismore expensive in silicon. This leads to a second protocol for use withasymmetric algorithms—Protocol C2.

[0633] The primary disadvantage of Protocol C1 is that the value for Ris known during the protocol. Consequently R, S_(K1)[R] pairs can becollected and analyzed in a form of differential attack. It would bepreferable if R were unknown, as is the case with Protocol C3.

[0634] Protocol C1 must be implemented with two authentication chips inorder to keep the keys secure. This means that each System requires anauthentication chip and each consumable requires an authentication chip.

[0635] 5.2.2 Protocol C2

[0636] In some cases, System may contain a large amount of processingpower. Alternatively, for instances of systems that are manufactured inlarge quantities, integration of ChipT into System may be desirable. Useof an asymmetrical encryption algorithm can allow the ChipT portion ofSystem to be insecure. Protocol C2 therefore, uses asymmetriccryptography.

[0637] For this protocol, each chip contains the following values:

[0638] KT ChipT only. Public key for encrypting. Does not have to besecret.

[0639] KA ChipA only. Private key for decrypting and encrypting. Must besecret.

[0640] R ChipT only. Current random number. Does not have to be secret,but must be seeded with a different initial value for each chipinstance. Changes with each successful authentication as defined by theTest function.

[0641] M Memory vector of authentication chip. Part of this space shouldbe different for each chip (does not have to be a random number).

[0642] There is no point in verifying anything in the Read function,since anyone can encrypt using a public key. Consequently the followingfunctions are defined:

[0643] E[X] Internal function only. Returns E_(K)[X] where E isasymmetric encrypt function E.

[0644] D[X] Internal function only. Returns D_(K)[X] where D isasymmetric decrypt function D.

[0645] Random[ ] ChipT only. Returns E_(KT)[R].

[0646] Test[X, Y] Returns 1 and advances R if D_(KT)[R|X]=Y. Otherwisereturns 0. The time taken to return 0 must be identical for all badinputs, and the time taken to return 1 must be the same for all goodinputs.

[0647] Read[X] ChipA only. Returns M|E_(KA)[R|M] where R=D_(KA)[X] (doesnot test input since ChipT is effectively public).

[0648] Write[X] Writes X over those parts of M that can legitimately bewritten over.

[0649] The public key KT is in ChipT, while the secret key K_(A) is inChipA. Having K_(T) in ChipT has the advantage that ChipT can beimplemented in software or hardware (with the proviso that R is seededwith a different random number for each system).

[0650] Protocol C2 requires that D_(KA)[E_(KT)[X]]=X andD_(KT)[E_(KA)[X]]=X.

[0651] To authenticate ChipA and read ChipA's memory M:

[0652] 1. System 21 calls 70 ChipT's Random function;

[0653] 2. ChipT 23 produces and returns 71 E_(KT)[R] to System;

[0654] 3. System 21 calls 72 ChipA's Read function, passing inE_(KT)[R];

[0655] 4. ChipA 20 returns 73 M|E_(KA)[R|M], first obtaining R byD_(KA)[E_(KT)[R]];

[0656] 5. System 21 calls 74 ChipT's Test function, passing in M andE_(KA)[R|M];

[0657] 6. ChipT 23 calculates D_(KT)[E_(KA)[R|M]] and compares it toR|M.

[0658] 7. System 21 checks response 75 from ChipT 23. If the response 75is 1, then ChipA 20 is considered authentic. If 0, ChipA 20 isconsidered invalid.

[0659] To authenticate a write of M_(new) to ChipA's memory M:

[0660] 1. System calls ChipA's Write function, passing in M_(new);

[0661] 2. The authentication procedure for a Read is carried out;

[0662] 3. If ChipA is authentic and M_(new)=M, the write succeeded.Otherwise it failed.

[0663] The data flow for read authentication is shown in FIG. 7:

[0664] Only a valid ChipA would know the value of R, since R is notpassed into the authenticate function (it is passed in as an encryptedvalue). R must be obtained by decrypting E[R], which can only be doneusing the secret key K_(A). Once obtained, R must be appended to M andthen the result re-encoded. ChipT can then verify that the decoded formof E_(KA)[R|M]=R|M and hence ChipA is valid. Since K_(T)±K_(A),E_(KT)[R] ¼ E_(K)[R].

[0665] Protocol C2 has the following advantages:

[0666] K_(A) (the secret key) is not revealed during the authenticationprocess

[0667] Given E_(KT)[R], a clone chip cannot generate R without K_(A) oraccess to a real ChipA.

[0668] Since K_(T)±K_(A), ChipT can be implemented completely insoftware or in insecure hardware or as part of System. Only ChipA isrequired to be a secure authentication chip.

[0669] Since ChipT and ChipA contain different keys, intense testing ofChipT will reveal nothing about K_(A).

[0670] If ChipT is a physical chip, System is easy to design.

[0671] There are a number of well-documented and cryptanalyzedasymmetric algorithms to chose from for implementation, includingpatent-free and license-free solutions.

[0672] Even if System could be rewired so that ChipA requests weredirected to ChipT, ChipT could never answer for ChipA since K_(T)±K_(A).The attack would have to be directed at the System ROM itself to bypassthe authentication protocol.

[0673] However, Protocol C2 has a number of disadvantages:

[0674] All authentication chips need to contain both asymmetric encryptand decrypt functionality. Consequently each chip is larger, morecomplex, and more expensive than the chip required for Protocol C2.

[0675] For satisfactory security, each key needs to be 2048 bits(compared to a minimum of 128 bits for symmetric cryptography inProtocol C1). The associated intermediate memory used by the encryptionand decryption algorithms is correspondingly larger.

[0676] Key generation is non-trivial. Random numbers are not good keys.

[0677] If ChipT is implemented as a core, there may be difficulties inlinking it into a given System ASIC.

[0678] If ChipT is implemented as software, not only is theimplementation of System open to programming error and non-rigoroustesting, but the integrity of the compiler and mathematics primitivesmust be rigorously checked for each implementation of System. This ismore complicated and costly than simply using a well-tested chip.

[0679] Although many asymmetric algorithms are specifically strengthenedto be resistant to differential cryptanalysis (which is based on chosentext attacks), the private key K_(A) is susceptible to a chosen textattack

[0680] It would be preferable to keep R hidden, but since K_(T) and infact all of ChipT is effectively public, R must be public as well.

[0681] Protocol C2 authentication chips could not be exported from theUSA, since they would be considered strong encryption devices.

[0682] As with Protocol C1, the only specific timing requirement ofProtocol C2 is for returning values based on good or bad inputs. Thetime taken to return a value if the input is good must be the sameregardless of the value of the input. The same is true if the value isbad. The time taken to process good and bad inputs does not have to bethe same however. Attackers can therefore not learn anything about whatwas bad (or good) about the input value. This is true for both Read andTest functions.

[0683] 5.2.3 Protocol C3

[0684] Protocol C3 attempts to solve one of the problems inherent inProtocols C1 and C2 in that pairs of R, F_(KT)[R] can be gathered by theattacker (where F is S or E). These pairs can be used to mount a limitedchosen text attack on K₂, and can be used for differential analysis ofK₁. It is therefore desirable to pass the chosen random number R fromChipT to ChipA without the intermediate System knowing the value of R.Protocol C2 cannot do this since ChipT is public and hence R is notsecret. In addition, since R is random, it is not enough to simply passan encrypted version of R to ChipA (as in Protocol C2), since a randomsequence of bits could be substituted for a different random sequence ofbits by the attacker.

[0685] The solution is to encrypt both R and R's digital signature sothat ChipA can test if R was in fact generated by ChipT. Since we don'twant to reveal R, C3 must be a Double Chip Protocol (ChipT cannot beincorporated into a software System or be included as an ASIC core). Akeyed one-way function is not enough, since ChipA must recover R and R'ssignature. Symmetric encryption can therefore be safely used.

[0686] Protocol C3 therefore uses two keys. The first key is used inChipT to encrypt R and the signature of R. The encrypted R and signatureis sent to ChipA where R is extracted and verified by ChipA. If the R isvalid, ChipA encrypts M|R using the second key, and outputs the result.The System sends the output from ChipA back to ChipT where it isverified against the known R encrypted with the second key.

[0687] For this protocol, each chip contains the following values:

[0688] K₁ Key for encrypting in ChipT and decrypting in ChipA. Must besecret.

[0689] K₂ Key for encrypting in both ChipA and ChipT. Must be secret.

[0690] R Current random number. Must be secret and must be seeded with adifferent initial value for each chip instance. Changes with eachsuccessful call to the Test function.

[0691] M Memory vector of authentication chip. Part of this space shouldbe different for each chip (does not have to be a random number).

[0692] The following functions are defined:

[0693] E[X] Internal function only. Returns E_(K)[X] where E issymmetric encrypt function E.

[0694] D[X] Internal function ChipA only. Returns D_(K)[X] where D issymmetric decrypt function D.

[0695] S[X] Internal function only. Returns S[X], the digital signaturefor X. The digital signature must be long enough to counter the chancesof someone generating a random signature. 128 bits is a satisfactorysize if S is symmetric encryption, while 160 bits is a satisfactory sizeif S is HMAC-SHAI.

[0696] Random[ ] Chip T only. Returns E_(K1)[R|S[R]].

[0697] Test[X, Y] ChipT only. Returns 1 and advances R if E_(K2)[X|R]=Y.Otherwise returns 0. The time taken to return 0 must be identical forall bad inputs. The time taken to return 1 must be identical for allgood inputs.

[0698] Read[X] ChipA only. Calculates Y|Z from D_(K1)[X]. ReturnsM|E_(K2)[M|Y] if S[Y]=Z. Otherwise returns 0. The time taken to return 0must be identical for all bad inputs. The time taken to returnM|E_(K2)[M|Y] must be the same for all good inputs.

[0699] The protocol for authentication is as follows:

[0700] 1. System 21 calls 80 ChipT's Random function;

[0701] 2. ChipT 23 returns 81 E_(K1)[R|S[R]] to System 21;

[0702] 3. System 21 calls 82 ChipA's Read function, passing inE_(K1)[R|S[R]];

[0703] 4. ChipA 20 decrypts E_(K1)[R|S[R]], and calculates its own S[R]based upon the decrypted R. If the two match, ChipA 20 returns 83 M,E_(K2)[M|R]. Otherwise ChipA 20 returns 0;

[0704] 5. System 21 calls 84 ChipT's Test function, passing in thereturned M and E_(K2)[M|R]. ChipT 23 generates its own E_(K2)[M|R] andcompares it against the input value. If they are equal, then ChipA 20 isconsidered valid and a 1 is returned 85 to System 21. If not, ChipA isinvalid and 0 is returned 85 to System 21.

[0705] The data flow can be seen in FIG. 8:

[0706] Protocol C3 has the following advantages:

[0707] K₁ and K₂ (the secret keys) are not revealed during theauthentication process

[0708] The time varying challenge R is encrypted, so that it is notrevealed during the authentication process. An attacker cannot build atable of X, E_(K)[X] values for K₁ or K₂.

[0709] An attacker cannot call Read without a valid R|S[R] pairencrypted with K₁. K₂ is therefore resistant to a chosen text attack. Ronly advances with a valid call to Test, so K₁ also not susceptible to achosen text attack. It is true that the E_(K1)[R|S[R]] values can becollected by an attacker, but there is no correlation between thesevalues and the output value from the Read function since there are twounknowns—R and K₂.

[0710] System is easy to design, especially in low cost systems such asink-jet printers, as no encryption or decryption is required by Systemitself.

[0711] There are a number of well-documented and cryptanalyzed symmetricalgorithms to chose from for implementation of E, including patent-freeand license-free solutions.

[0712] A wide range of signature functions exists, from messageauthentication codes to random number sequences to key-based symmetriccryptography.

[0713] Signature functions and symmetric encryption algorithms requirefewer gates and are easier to verify than asymmetric algorithms.

[0714] Secure key size for symmetric encryption does not have to be aslarge as for an asymmetric (public key) algorithm. A minimum of 128 bitscan provide appropriate security for symmetric encryption.

[0715] However, Protocol C3 has a number of its own problems:

[0716] Although there are a large number of available functions for Eand S, the choice of E and S is non-trivial. Some require licensing dueto patent protection.

[0717] Depending on the chosen encryption algorithm, key generation canbe complicated. The method of selecting a good key depends on thealgorithm being used. Certain keys are weak for a given algorithm.

[0718] If ChipA and ChipT are instances of the same authentication chip,each chip must contain both symmetric encrypt and decrypt functionality.Consequently each chip is larger, more complex, and more expensive thanthe chip required for Protocol P1 which only has encrypt functionality.

[0719] If the authentication chip is broken into two chips to save costand reduce complexity of design/test, two chips still need to bemanufactured, reducing the economies of scale. Unfortunately, ChipA mustcontain both encrypt and decrypt, making the consumable authenticationchip the larger of the two chips. Both chips must also contain signaturefunctions, making them more complex than the chip required for ProtocolC1.

[0720] Protocol C3 authentication chips could not be exported from theUSA, since they are considered strong encryption devices.

[0721] 5.2.4 Additional Notes

[0722] 5.2.4.1 General Comments

[0723] Protocol C3 is the most secure of the three Consumable Lifetimeauthentication protocols, since nothing is revealed about the challengefrom the response. However, Protocol C3 requires implementation ofencryption, decryption and signature functions, making it more expensivein silicon than Protocol C1. In addition, export regulations imposed bythe United States make this protocol problematic.

[0724] With Protocol C2, even if the process of choosing a key wasstraightforward, Protocol C2 is impractical at the present time due tothe high cost of silicon implementation (both key size and functionalimplementation).

[0725] Protocol C1 is therefore the current protocol of choice forConsumable Lifetime authentication. Eventually, as silicon costs comedown with Moore's Law, and USA export regulations are relaxed, ProtocolC3 will be preferable to Protocol C1. When silicon costs are negligibleor tight integration is required, Protocol C2 may be preferable toProtocol C1, but the security protocol of choice would still remainProtocol C3.

[0726] 5.2.4.2 Variation on call to Test[ ]

[0727] If there are two authentication chips used, it is theoreticallypossible for a clone manufacturer to replace the System authenticationchip with one that returns 1 (success) for each call to Test. The Systemcan test for this by calling Test a number of times—N times with a wronghash value, and expect the result to be 0. The final time that Test iscalled, the true returned value from ChipA is passed, and the returnvalue is trusted. The question then arises of how many times to callTest. The number of calls must be random, so that a clone chipmanufacturer cannot know the number ahead of time.

[0728] If System has a clock, bits from the clock can be used todetermine how many false calls to Test should be made. Otherwise thereturned value from ChipA can be used. In the latter case, an attackercould still rewire the System to permit a clone ChipT to view thereturned value from ChipA, and thus know which hash value is the correctone.

[0729] The worst case of course, is that the System can be completelyreplaced by a clone System that does not require authenticatedconsumables—this is the limit case of rewiring and changing the System.For this reason, the variation on calls to Test is optional, dependingon the System, the Consumable, and how likely modifications are to bemade. Adding such logic to System (for example in the case of a smalldesktop printer) may be considered not worthwhile, as the System is mademore complicated. By contrast, adding such logic to a camera may beconsidered worthwhile.

[0730] 5.2.4.3 Clone Consumable using Real Authentication Chip

[0731] It is important to decrement the amount of consumable remainingbefore use that consumable portion. If the consumable is used first, aclone consumable could fake a loss of contact during a write to thespecial known address and then appear as a fresh new consumable. It isimportant to note that this attack still requires a real authenticationchip in each consumable.

[0732] 5.2.4.4 Longevity of Key

[0733] A general problem of these two protocols is that once theauthentication keys are chosen, it cannot easily be changed. In someinstances the compromise of a key could be disastrous, while in othercases it is not a problem. See Section 5.1.4 for more information.

[0734] 5.3 Choosing a Protocol

[0735] As described in Section 5.1.4.1 and Section 5.2.4.1, Protocols P1and C1 are the protocols of choice. Eventually, as silicon costs comedown with Moore's Law, and USA export regulations are relaxed, ProtocolsP3 and C3 will be preferable to Protocols P1 and C1.

[0736] However, Protocols P1 and C1 contain much of the same components:

[0737] both require read and write access;

[0738] both require implementation of a keyed one-way function; and

[0739] both require random number generation functionality

[0740] Protocol C1 requires an additional key (K₂) as well as someminimal state machine changes:

[0741] a state machine alteration to enable F_(K1)[X] to be calledduring Random;

[0742] a Test function which calls F_(K2)[X]

[0743] a state machine alteration to the Read function to call F_(K1)[X]and F_(K2)[X]

[0744] Protocol C1 only requires minimal changes over Protocol P1 . Itis more secure and can be used in all places where Presence Onlyauthentication is required (Protocol P1 ). It is therefore the protocolof choice.

[0745] Given that Protocols P1 and C1 both make use of keyed signaturefunctions, the choice of function is examined in more detail here. Table2 outlines the attributes of the applicable choices (see Section 3.3 andSection 3.6 for more information). The attributes are phrased so thatthe attribute is seen as an advantage. TABLE 2 Summary of SymbolicNomenclature Triple DES Blowfish RC5 IDEA Random Sequences HMAC-MD5HMAC-SHA1 HMAC-RIPEMD160 Free of patents • • • • • • Random keygeneration • • • Can be exported from the • • • • USA Fast • • • •Preferred Key Size (bits) for 168^(a) 128 128 128 512 128 160 160 use inthis application Block size (bits) 64  64  64  64 256 512 512 512Cryptanalysis Attack-Free • • • • • (apart from weak keys) Output sizegiven input size N ≧N ≧N ≧N ≧N 128 128 160 160 Low storage requirements• • • • Low silicon complexity • • • • NSA designed • •

[0746] An examination of Table 2 shows that the choice is effectivelybetween the 3 HMAC constructs and the Random Sequence. The problem ofkey size and key generation eliminates the Random Sequence. Given that anumber of attacks have already been carried out on MD5 and since thehash result is only 128 bits, HMAC-MD5 is also eliminated. The choice istherefore between HMAC-SHA1 and HMAC-RIPEMD 160.

[0747] RIPEMD-160 is relatively new, and has not been as extensivelycryptanalyzed as SHA-1. However, SHA-1 was designed by the NSA.

[0748] SHA-1 is preferred for the HMAC construct for the followingreasons:

[0749] SHA-1 was designed by the NSA;

[0750] SHA-1 has been more extensively cryptanalyzed without beingbroken;

[0751] SHA-1 requires slightly less intermediate storage thanRIPE-MD-160;

[0752] SHA-1 is algorithmically less complex than RIPE-MD-160;

[0753] Although SHA-1 is slightly faster than RIPE-MD-160, this was nota reason for choosing SHA-1.

[0754] Protocol C1 using HMAC-SHA1 is therefore the protocol of choice.It is examined in more detail in Section 6.

[0755]5.4 Choosing a Random Number Generator

[0756] Each of the described protocols requires a random numbergenerator. The generator must be “good” in the sense that the randomnumbers generated over the life of all Systems cannot be predicted.

[0757] If the random numbers were the same for each System, an attackercould easily record the correct responses from a real authenticationchip, and place the responses into a ROM lookup for a clone chip. Withsuch an attack there is no need to obtain K₁ or K₂.

[0758] Therefore the random numbers from each System must be differentenough to be unpredictable, or non-deterministic. As such, the initialvalue for R (the random seed) should be programmed with a physicallygenerated random number gathered from a physically random phenomenon,one where there is no information about whether a particular bit will be1 or 0. The seed for R must NOT be generated with a computer-run randomnumber generator. Otherwise the generator algorithm and seed may becompromised enabling an attacker to generate and therefore know the setof all R values in all Systems.

[0759] Having a different R seed in each authentication chip means thatthe first R will be both random and unpredictable across all chips. Thequestion therefore arises of how to generate subsequent R values in eachchip.

[0760] The base case is not to change R at all. Consequently R andF_(K1)[R] will be the same for each call to Random[ ]. If they are thesame, then F_(K1)[R] can be a constant rather than calculated. Anattacker could then use a single valid authentication chip to generate avalid lookup table, and then use that lookup table in a clone chipprogrammed especially for that System. A constant R is not secure.

[0761] The simplest conceptual method of changing R is to increment itby 1. Since R is random to begin with, the values across differingsystems are still likely to be random. However given an initial R, allsubsequent R values can be determined directly (there is no need toiterate 10,000 times—R will take on values from R₀ to R₀+10000). Anincrementing R is immune to the earlier attack on a constant R. Since Ris always different, there is no way to construct a lookup table for theparticular System without wasting as many real authentication chips asthe clone chip will replace.

[0762] Rather than increment using an adder, another way of changing Ris to implement it as an LFSR (Linear Feedback Shift Register). This hasthe advantage of an attacker not being able to directly determine therange of R for a particular System, since an LFSR value-domain isdetermined by sequential access. To determine which values a giveninitial R will generate, an attacker must iterate through thepossibilities and enumerate them. The advantages of a changing R arealso evident in the LFSR solution. Since R is always different, there isno way to construct a lookup table for the particular System withoutusing up as many real authentication chips as the clone chip willreplace (and only for that System). There is therefore no advantage inhaving a more complex function to change R. Regardless of the function,it will always be possible for an attacker to iterate through thelifetime set of values in a simulation. The primary security lies in theinitial randomness of R. Using an LFSR to change R simply has theadvantage of not being restricted to a consecutive numeric range (i.e.knowing R, RN cannot be directly calculated; an attacker must iteratethrough the LFSR N times).

[0763] The Random number generator 90 within the authentication chip istherefore an LFSR 91 with 160 bits and four taps 92, 93, 94 and 95,which feed an exclusive-OR gate 96, which in turn feeds back 97 tobit₁₅₉. Tap selection of the 160 bits for a maximal-period LFSR (i.e.the LFSR will cycle through all 2¹⁶⁰−1 states, 0 is not a valid state)yields bit₅, bit₃, bit₂, and bit₀ [78], as shown in FIG. 9. The exampleLFSR is sparse, in that not many bits are used for feedback (only 4 outof 160 bits are used), although maximal-period LFSR with more tapsoffers slightly more protection against differential cryptanalysis oncollected R, F[R] pairs.

[0764] The 160-bit seed value for R can be any random number except 0,since an LFSR filled with Os will produce a never-ending stream of Os.

[0765] Since the LFSR described is a maximal-period LFSR, all 160 bitscan be used directly as R.

[0766] After each successful call to Test, the random number (R) must beadvanced by XORing bits 0, 2, 3, and 5, and shifting the result into thehigh order bit. The new R and corresponding F_(K1)[R] can be retrievedon the next call to Random.

[0767] 5.5 Holding Out Against Logical Attacks

[0768] Protocol C1 is the authentication scheme used by theauthentication chip. As such, it should be resistant to defeat bylogical means. While the effect of various types of attacks on ProtocolC1 have been mentioned in discussion, this section details each type ofattack in turn with reference to Protocol C1.

[0769]5.5.1 Brute force attack

[0770] A brute force attack is guaranteed to break Protocol C1 (or infact, any protocol). However the length of the key means that the timefor an attacker to perform a brute force attack is too long to be worththe effort.

[0771] An attacker only needs to break K₂ to build a cloneauthentication chip. K₁ is merely present to strengthen K₂ against otherforms of attack. A brute force attack on K₂ must therefore break a160-bit key.

[0772] An attack against K₂ requires a maximum of 2¹⁶⁰ attempts, with a50% chance of finding the key after only 2¹⁵⁹ attempts. Assuming anarray of a trillion processors, each running one million tests persecond, 2¹⁵⁹ (7.3×10⁴⁷) tests takes 2.3×10²² years, which is longer thanthe total lifetime of the universe. There are around 100 millionpersonal computers in the world. Even if these were all connected in anattack (e.g. via the Internet), this number is still 10,000 timessmaller than the trillion-processor attack described. Further, if themanufacture of one trillion processors becomes a possibility in the ageof nanocomputers, the time taken to obtain the key is still longer thanthe total lifetime of the universe.

[0773] 5.5.2 Guessing the Key Attack

[0774] It is theoretically possible that an attacker can simply “guessthe key”. In fact, given enough time, and trying every possible number,an attacker will obtain the key. This is identical to the brute forceattack described above, where 2¹⁵⁹ attempts must be made before a 50%chance of success is obtained.

[0775] The chances of someone simply guessing the key on the first tryis 2¹⁶⁰. For comparison, the chance of someone winning the top prize ina U.S. state lottery and being killed by lightning in the same day isonly 1 in 2⁶¹ [78]. The chance of someone guessing the authenticationchip key on the first go is 1 in 2¹⁶⁰, which is comparable to two peoplechoosing exactly the same atoms from a choice of all the atoms in theEarth i.e. extremely unlikely.

[0776] 5.5.3 Quantum Computer Attack

[0777] To break K₂, a quantum computer containing 160 qubits embedded inan appropriate algorithm must be built. As described in Section 3.8.1.7,an attack against a 160-bit key is not feasible. An outside estimate ofthe possibility of quantum computers is that 50 qubits may be achievablewithin 50 years. Even using a 50 qubit quantum computer, 2¹¹⁰ tests arerequired to crack a 160 bit key. Assuming an array of 1 billion 50 qubitquantum computers, each able to try 2⁵⁰ keys in 1 microsecond (beyondthe current wildest estimates) finding the key would take an average of18 billion years.

[0778] 5.5.4 Ciphertext Only Attack

[0779] An attacker can launch a ciphertext only attack on K₁ bymonitoring calls to Random and Read, and on K₂ by monitoring calls toRead and Test. However, given that all these calls also reveal theplaintext as well as the hashed form of the plaintext, the attack wouldbe transformed into a stronger form of attack—a known plaintext attack.

[0780] 5.5.5 Known Plaintext Attack

[0781] It is easy to connect a logic analyzer to the connection betweenthe System and the authentication chip, and thereby monitor the flow ofdata. This flow of data results in known plaintext and the hashed formof the plaintext, which can therefore be used to launch a knownplaintext attack against both K₁ and K₂.

[0782] To launch an attack against K₁ , multiple calls to Random andTest must be made (with the call to Test being successful, and thereforerequiring a call to Read on a valid chip). This is straightforward,requiring the attacker to have both a system authentication chip and aconsumable authentication chip. For each K₁: X, S_(K1)[X] pair revealed,a K₂: Y, S_(K2)[Y] pair is also revealed. The attacker must collectthese pairs for further analysis.

[0783] The question arises of how many pairs must be collected for ameaningful attack to be launched with this data. An example of an attackthat requires collection of data for statistical analysis isdifferential cryptanalysis (see Section 5.5.13). However, there are noknown attacks against SHA-1 or HMAC-SHA1 [7][56][78], so there is no usefor the collected data at this time.

[0784] Note that Protocol C3 is not susceptible to a plaintext attack.

[0785] 5.5.6 Chosen Plaintext Attacks

[0786] Given that the cryptanalyst has the ability to modify subsequentchosen plaintexts based upon the results of previous experiments, K₂ isopen to a partial form of the adaptive chosen plaintext attack, which iscertainly a stronger form of attack than a simple chosen plaintextattack.

[0787] A chosen plaintext attack is not possible against K₁ , sincethere is no way for a caller to modify R, which used as input to theRandom function (the only function to provide the result of hashing withK₁).

[0788] 5.5.7 Adaptive Chosen Plaintext Attacks

[0789] This kind of attack is not possible against K₁, since K₁ is notsusceptible to chosen plaintext attacks. However, a partial form of thisattack is possible against K₂, especially since both System andconsumables are typically available to the attacker (the System may notbe available to the attacker in some instances, such as a specific car).

[0790] The HMAC construct provides security against all forms of chosenplaintext attacks [7]. This is primarily because the HMAC construct hastwo secret input variables (the result of the original hash, and thesecret key). Thus finding collisions in the hash function itself whenthe input variable is secret is even harder than finding collisions inthe plain hash function. This is because the former requires directaccess to SHA-1 (not permitted in Protocol C1) in order to generatepairs of input/output from SHA-1.

[0791] The only values that can be collected by an attacker are HMAC[R]and HMAC[R|M]. These are not attacks against the SHA-1 hash functionitself, and reduce the attack to a differential cryptanalysis attack(see Section 5.5.13), examining statistical differences betweencollected data. Given that there is no differential cryptanalysis attackknown against SHA-1 or HMAC, Protocol C1 is resistant to the adaptivechosen plaintext attacks. Note that Protocol C3 is not susceptible tothis attack.

[0792] 5.5.8 Purposeful Error Attack

[0793] An attacker can only launch a purposeful error attack on the Testand Read functions, since these are the only functions that validateinput against the keys.

[0794] With both the Test and Read functions, a 0 value is produced ifan error is found in the input—no further information is given. Inaddition, the time taken to produce the 0 result is independent of theinput, giving the attacker no information about which bit(s) were wrong.

[0795] A purposeful error attack is therefore fruitless.

[0796] 5.5.9 Chaining Attack

[0797] Any form of chaining attack assumes that the message to be hashedis over several blocks, or the input variables can somehow be set. TheHMAC-SHA1 algorithm used by Protocol C1 only ever hashes a single512-bit block at a time. Consequently chaining attacks are not possibleagainst Protocol C1.

[0798] 5.5.10 Birthday Attack

[0799] The strongest attack known against HMAC is the birthday attack,based on the frequency of collisions for the hash function [7][5 1].However this is totally impractical for minimally reasonable hashfunctions such as SHA-1. And the birthday attack is only possible whenthe attacker has control over the message that is hashed.

[0800] Protocol C1 uses hashing as a form of digital signature. TheSystem sends a number that must be incorporated into the response from avalid authentication chip. Since the authentication chip must respondwith HMAC[R|M], but has no control over the input value R, the birthdayattack is not possible. This is because the message has effectivelyalready been generated and signed. An attacker must instead search for acollision message that hashes to the same value (analogous to findingone person who shares your birthday).

[0801] The clone chip must therefore attempt to find a new value R₂ suchthat the hash of R₂ and a chosen M₂ yields the same hash value asH[R|M]. However the System authentication chip does not reveal thecorrect hash value (the Test function only returns 1 or 0 depending onwhether the hash value is correct). Therefore the only way of findingout the correct hash value (in order to find a collision) is tointerrogate a real authentication chip. But to find the correct valuemeans to update M, and since the decrement-only parts of M are one-way,and the read-only parts of M cannot be changed, a clone consumable wouldhave to update a real consumable before attempting to find a collision.The alternative is a brute force attack search on the Test function tofind a success (requiring each clone consumable to have access to aSystem consumable). A brute force search, as described above, takeslonger than the lifetime of the universe, in this case, perauthentication.

[0802] Due to the fact that a timely gathering of a hash value implies areal consumable must be decremented, there is no point for a cloneconsumable to launch this kind of attack.

[0803] 5.5.11 Substitution with a Complete Lookup Table

[0804] The random number seed in each System is 160 bits. The worst casesituation for an authentication chip is that no state data is changed.Consequently there is a constant value returned as M. However a clonechip must still return S_(K2)[R|l M], which is a 160 bit value.

[0805] Assuming a 160-bit lookup of a 160-bit result, this requires2.9×10⁴⁹ bytes, or 2.6×10³⁷ terabytes, certainly more space than isfeasible for the near future. This of course does not even take intoaccount the method of collecting the values for the ROM. A completelookup table is therefore completely impossible.

[0806] 5.5.12 Substitution with a Sparse Lookup Table

[0807] A sparse lookup table is only feasible if the messages sent tothe authentication chip are somehow predictable, rather than effectivelyrandom.

[0808] The random number R is seeded with an unknown random number,gathered from a naturally random event. There is no possibility for aclone manufacturer to know what the possible range of R is for allSystems, since each bit has an unrelated chance of being 1 or 0.

[0809] Since the range of R in all systems is unknown, it is notpossible to build a sparse lookup table that can be used in all systems.The general sparse lookup table is therefore not a possible attack.

[0810] However, it is possible for a clone manufacturer to know what therange of R is for a given System. This can be accomplished by loading aLFSR with the current result from a call to a specific Systemauthentication chip's Random function, and iterating some number oftimes into the future. If this is done, a special ROM can be built whichwill only contain the responses for that particular range of R, i.e. aROM specifically for the consumables of that particular System. But theattacker still needs to place correct information in the ROM. Theattacker will therefore need to find a valid authentication chip andcall it for each of the values in R.

[0811] Suppose the clone authentication chip reports a full consumable,and then allows a single use before simulating loss of connection andinsertion of a new full consumable. The clone consumable would thereforeneed to contain responses for authentication of a full consumable andauthentication of a partially used consumable. The worst case ROMcontains entries for full and partially used consumables for R over thelifetime of System. However, a valid authentication chip must be used togenerate the information, and be partially used in the process. If agiven System only produces n R-values, the sparse lookup-ROM required is20n bytes (20=160/8) multiplied by the number of different values for M.The time taken to build the ROM depends on the amount of time enforcedbetween calls to Read.

[0812] After all this, the clone manufacturer must rely on the consumerreturning for a refill, since the cost of building the ROM in the firstplace consumes a single consumable. The clone manufacturer's business insuch a situation is consequently in the refills.

[0813] The time and cost then, depends on the size of R and the numberof different values for M that must be incorporated in the lookup. Inaddition, a custom clone consumable ROM must be built to match each andevery System, and a different valid authentication chip must be used foreach System (in order to provide the full and partially used data). Theuse of an authentication chip in a System must therefore be examined todetermine whether or not this kind of attack is worthwhile for a clonemanufacturer.

[0814] As an example, of a camera system that has about 10,000 prints inits lifetime. Assume it has a single Decrement Only value (number ofprints remaining), and a delay of 1 second between calls to Read. Insuch a system, the sparse table will take about 3 hours to build, andconsumes 100K. Remember that the construction of the ROM requires theconsumption of a valid authentication chip, so any money charged must beworth more than a single consumable and the clone consumable combined.Thus it is not cost effective to perform this function for a singleconsumable (unless the clone consumable somehow contained the equivalentof multiple authentic consumables).

[0815] If a clone manufacturer is going to go to the trouble of buildinga custom ROM for each owner of a System, an easier approach would be toupdate System to completely ignore the authentication chip. For moreinformation, see Section 10.2.4.

[0816] Consequently, this attack is possible as a per-System attack, anda decision must be made about the chance of this occurring for a givenSystem/Consumable combination. The chance will depend on the cost of theconsumable and authentication chips, the longevity of the consumable,the profit margin on the consumable, the time taken to generate the ROM,the size of the resultant ROM, and whether customers will come back tothe clone manufacturer for refills that use the same clone chip etc.

[0817] 5.5.13 Differential Cryptanalysis

[0818] Existing differential attacks are heavily dependent on thestructure of S boxes, as used in DES and other similar algorithms.Although other algorithms such as HMAC-SHA1 used in Protocol C1 have noS boxes, an attacker can undertake a differential-like attack byundertaking statistical analysis of:

[0819] Minimal-difference inputs, and their corresponding outputs

[0820] Minimal-difference outputs, and their corresponding inputs

[0821] To launch an attack of this nature, sets of input/output pairsmust be collected. The collection from Protocol C1 can be via knownplaintext, or from a partially adaptive chosen plaintext attack.Obviously the latter, being chosen, will be more useful.

[0822] Hashing algorithms in general are designed to be resistant todifferential analysis. SHA-1 in particular has been specificallystrengthened, especially by the 80 word expansion (see Section 6) sothat minimal differences in input will still produce outputs that varyin a larger number of bit positions (compared to 128 bit hashfunctions). In addition, the information collected is not a direct SHA-1input/output set, due to the nature of the HMAC algorithm. The HMACalgorithm hashes a known value with an unknown value (the key), and theresult of this hash is then rehashed with a separate unknown value.Since the attacker does not know the secret value, nor the result of thefirst hash, the inputs and outputs from SHA-1 are not known, making anydifferential attack extremely difficult.

[0823] There are no known differential attacks against SHA-1 orHMAC-SHA-1 [56][78]. Even if this does not change by the time ProtocolC3 can be affordably included in an authentication chip, a move to theProtocol C3 will eliminate this attack, and is therefore attractive.

[0824] The following is a more detailed discussion of minimallydifferent inputs and outputs from the authentication chip based onProtocol C1.

[0825] 5.5.13.1 Minimal Difference Inputs

[0826] This is where an attacker takes a set of X, S_(K)[X] values wherethe X values are minimally different, and examines the statisticaldifferences between the outputs S_(K)[X]. The attack relies on X valuesthat only differ by a minimal number of bits.

[0827] The question then arises as to how to obtain minimally differentX values in order to compare the S_(K)[X] values.

[0828] K₁ With K₁, the attacker needs to statistically examine minimallydifferent X, S_(K1)[X] pairs. However the attacker cannot choose any Xvalue and obtain a related S_(K1)[X] value. Since X, S_(K1)[X] pairs canonly be generated by calling the Random function on a Systemauthentication chip, the attacker must call Random multiple times,recording each observed pair in a table. A search must then be madethrough the observed values for enough minimally different X values toundertake a statistical analysis of the S_(K1)[X] values.

[0829] K₂ With K₂, the attacker needs to statistically examine minimallydifferent X, S_(K2)[X] pairs. The only way of generating X, S_(K2)[X]pairs is via the Read function, which produces S_(K2)[X] for a given Y,S_(K1)[Y] pair, where X=Y|M. This means that Y and the changeable partof M can be chosen to a limited extent by an attacker. The amount ofchoice must therefore be limited as much as possible.

[0830] The first way of limiting an attacker's choice is to limit Y,since Read requires an input of the format Y, S_(K1)[Y]. Although avalid pair can be readily obtained from the Random function, it is apair of Random's choosing. An attacker can only provide their own Y ifthey have obtained the appropriate pair from Random, or if they know K₁. Obtaining the appropriate pair from Random requires a brute forcesearch. Knowing K₁ is only logically possible by performingcryptanalysis on pairs obtained from the Random function—effectively aknown text attack. Although Random can only be called so many times persecond, K, is common across System chips. Therefore known pairs can begenerated in parallel.

[0831] The second way to limit an attacker's choice is to limit M, or atleast the attacker's ability to choose M. The limiting of M is done bymaking some parts of M Read Only, yet different for each authenticationchip, and other parts of M Decrement Only. The Read Only parts of Mshould ideally be different for each authentication chip, so could beinformation such as serial numbers, batch numbers, or random numbers.The Decrement Only parts of M mean that for an attacker to try adifferent M, they can only decrement those parts of M so manytimes—after the Decrement Only parts of M have been reduced to 0 thoseparts cannot be changed again. Obtaining a new authentication chipprovides a new M, but the Read Only portions will be different from theprevious authentication chip's Read Only portions, thus reducing anattacker's ability to choose M even further.

[0832] Consequently an attacker can only gain a limited number ofchances at choosing values for Y and M.

[0833] 5.5.13.2 Minimal Difference Outputs

[0834] This is where an attacker takes a set of X, S_(K)[X] values wherethe S_(K)[X] values are minimally different, and examines thestatistical differences between the X values. The attack relies onS_(K)[X] values that only differ by a minimal number of bits.

[0835] For both K₁ and K₂, there is no way for an attacker to generatean X value for a given S_(K)[X]. To do so would violate the fact that Sis a one-way function (HMAC-SHA1). Consequently the only way for anattacker to mount an attack of this nature is to record all observed X,S_(K)[X] pairs in a table. A search must then be made through theobserved values for enough minimally different S_(K)[X] values toundertake a statistical analysis of the X values. Given that thisrequires more work than a minimally different input attack (which isextremely limited due to the restriction on M and the choice of R), thisattack is not fruitful.

[0836] 5.5.14 Message Substitution Attacks

[0837] In order for this kind of attack to be carried out, a cloneconsumable must contain a real authentication chip, but one that iseffectively reusable since it never gets decremented. The cloneauthentication chip would intercept messages, and substitute its own.However this attack does not give success to the attacker.

[0838] A clone authentication chip may choose not to pass on a Writecommand to the real authentication chip. However the subsequent Readcommand must return the correct response (as if the Write hadsucceeded). To return the correct response, the hash value must be knownfor the specific R and M. As described in the birthday attack section,an attacker can only determine the hash value by actually updating M ina real Chip, which the attacker does not want to do. Even changing the Rsent by System does not help since the System authentication chip mustmatch the R during a subsequent Test.

[0839] A Message substitution attack would therefore be unsuccessful.This is only true if System updates the amount of consumable remainingbefore it is used.

[0840] 5.5.15 Reverse Engineering the Key Generator

[0841] If a pseudo-random number generator is used to generate keys,there is the potential for a clone manufacture to obtain the generatorprogram or to deduce the random seed used. This was the way in which thesecurity layer of the Netscape browser was initially broken [33].

[0842]5.5.16 Bypassing the Authentication Process

[0843] Protocol C1 requires the System to update the consumable statedata before the consumable is used, and follow every write by a read (toauthenticate the write). Thus each use of the consumable requires anauthentication. If the System adheres to these two simple rules, a clonemanufacturer will have to simulate authentication via a method above(such as sparse ROM lookup).

[0844] 5.5.17 Reuse of Authentication Chips

[0845] As described above, Protocol C1 requires the System to update theconsumable state data before the consumable is used, and follow everywrite by a read (to authenticate the write). Thus each use of theconsumable requires an authentication.

[0846] If a consumable has been used up, then its authentication chipwill have had the appropriate state-data values decremented to 0. Thechip can therefore not be used in another consumable.

[0847] Note that this only holds true for authentication chips that holdDecrement-Only data items. If there is no state data decremented witheach usage, there is nothing stopping the reuse of the chip. This is thebasic difference between Presence-Only authentication and ConsumableLifetime authentication. Protocol C1 allows both.

[0848] The bottom line is that if a consumable has Decrement Only dataitems that are used by the System, the authentication chip cannot bereused without being completely reprogrammed by a valid programmingstation that has knowledge of the secret key.

[0849] 5.5.18 Management Decision to Omit Authentication to Save Costs

[0850] Although not strictly an external attack, a decision to omitauthentication in future Systems in order to save costs will have widelyvarying effects on different markets.

[0851] In the case of high volume consumables, it is essential toremember that it is very difficult to introduce authentication after themarket has started, as systems requiring authenticated consumables willnot work with older consumables still in circulation. Likewise, it isimpractical to discontinue authentication at any stage, as older Systemswill not work with the new, unauthenticated, consumables. In the secondcase, older Systems can be individually altered by replacing the Systemauthentication chip by a simple chip that has the same programminginterface, but whose Test function always succeeds. Of course the Systemmay be programmed to test for an always-succeeding Test function, andshut down.

[0852] Without any form of protection, illegal cloning of high volumeconsumables is almost certain. However, with the patent and copyrightprotection, the probability of illegal cloning may be, say 50%. However,this is not the only loss possible. If a clone manufacturer were tointroduce clone consumables which caused damage to the System (e.g.clogged nozzles in a printer due to poor quality ink), then the loss inmarket acceptance, and the expense of warranty repairs, may besignificant.

[0853] In the case of a specialized pairing, such as a car/car-keys, ordoor/door-key, or some other similar situation, the omission ofauthentication in future systems is trivial and without repercussions.This is because the consumer is sold the entire set of System andConsumable authentication chips at the one time.

[0854] 5.5.19 Garrote/Bribe Attack

[0855] This form of attack is only successful in one of twocircumstances:

[0856] K₁, K₂, and R are already recorded by the chip-programmer, or

[0857] the attacker can coerce future values of K₁, K₂, and R to berecorded.

[0858] If humans or computer systems external to the Programming Stationdo not know the keys, there is no amount of force or bribery that canreveal them. The programming of authentication chips, described inSection 9, (and in [85], which covers the process in more detail) isspecifically designed to reduce this possibility.

[0859] The level of security against this kind of attack is ultimately adecision for the System/Consumable owner, to be made according to thedesired level of service.

[0860] For example, a car company may wish to keep a record of all keysmanufactured, so that a person can request a new key to be made fortheir car. However this allows the potential compromise of the entirekey database, allowing an attacker to make keys for any of themanufacturer's existing cars. It does not allow an attacker to make keysfor any new cars. Of course, the key database itself may also beencrypted with a further key that requires a certain number of people tocombine their key portions together for access. If no record is kept ofwhich key is used in a particular car, there is no way to makeadditional keys should one become lost. Thus an owner will have toreplace his car's authentication chip and all his car-keys. This is notnecessarily a bad situation.

[0861] By contrast, in a consumable such as a printer ink cartridge, theone key combination is used for all Systems and all consumables.Certainly if no backup of the keys is kept, there is no human withknowledge of the key, and therefore no attack is possible. However, ano-backup situation is not desirable for a consumable such as inkcartridges, since if the key is lost no more consumables can be made.The manufacturer should therefore keep a backup of the key informationin several parts, where a certain number of people must together combinetheir portions to reveal the full key information. This may be requiredif case the chip programming station needs to be reloaded.

[0862] In any case, none of these attacks are against Protocol C1itself, since no humans are involved in the authentication process.Instead, it is an attack against the programming stage of the chips. SeeSection 9 and [85] for more details.

[0863] 6 HMAC-SHA1

[0864] The mechanism for authentication is the HMAC-SHA1 algorithm,acting on one of:

[0865] HMAC-SHA1 (R, K₁), or

[0866] HMAC-SHA1 (R|M, K₂)

[0867] This part examines the HMAC-SHA1 algorithm in greater detail thancovered so far, and describes an optimization of the algorithm thatrequires fewer memory resources than the original definition.

[0868] 6.1 HMAC

[0869] The HMAC algorithm is described in Section 3.6.4.1. In summary,given the following definitions:

[0870] H=the hash function (e.g. MD5 or SHA-1)

[0871] n=number of bits output from H (e.g. 160 for SHA-1, 128 bits forMD5)

[0872] M=the data to which the MAC function is to be applied

[0873] K=the secret key shared by the two parties

[0874] ipad=0×36 repeated 64 times

[0875] opad=0×5C repeated 64 times

[0876] The HMAC algorithm is as follows:

[0877] 1. Extend K to 64 bytes by appending 0×00 bytes to the end of K

[0878] 2. XOR the 64 byte string created in (1) with ipad

[0879] 3. Append data stream M to the 64 byte string created in (2)

[0880] 4. Apply H to the stream generated in (3)

[0881] 5. XOR the 64 byte string created in (1) with opad

[0882] 6. Append the H result from (4) to the 64 byte string resultingfrom (5)

[0883] 7. Apply H to the output of (6) and output the result

[0884] Thus:

[0885] HMAC[M]=H[(K⊕opad)|H[(K⊕ipad)|M]]

[0886] HMAC-SHA1 algorithm is simply HMAC with H=SHA-1.

[0887]6.2 SHA-1

[0888] The SHA1 hashing algorithm is described in the context of otherhashing algorithms in Section 3.6.3.3, and completely defined in [27].The algorithm is summarized here.

[0889] Nine 32-bit constants are defined in Table 3. There are 5constants used to initialize the chaining variables, and there are 4additive constants. TABLE 3 Constants used in SHA-1 Initial ChainingValues Additive Constants h1 0x67452301 y1 0x5A827999 h2 0xEFCDAB89 y20x6ED9EBA1 h3 0x98BADCFE y3 0x8F1BBCDC h4 0x10325476 y4 0xCA62C1D6 h50xC3D2E1F0

[0890] Non-optimized SHA-1 requires a total of 2912 bits of datastorage:

[0891] Five 32-bit chaining variables are defined: H₁, H₂, H₃, H₄ andH₅.

[0892] Five 32-bit working variables are defined: A, B, C, D, and E.

[0893] One 32-bit temporary variable is defined: t.

[0894] Eighty 32-bit temporary registers are defined: X₀₋₇₉.

[0895] The following functions are defined for SHA-1: TABLE 4 Functionsused in SHA-1 Symbolic Nomenclature Description + Addition modulo 2³² X<< Y Result of rotating X left through Y bit positions f(X, Y, Z) (X

Y)

(

X

Z) g(X, Y, Z) (X

Y)

(X

Z)

(Y

Z) h(X, Y, Z) X ⊕ Y ⊕ Z

[0896] The hashing algorithm consists of firstly padding the inputmessage to be a multiple of 512 bits and initializing the chainingvariables H₁₋₅ with h₁₋₅. The padded message is then processed in512-bit chunks, with the output hash value being the final 160-bit valuegiven by the concatenation of the chaining variables: H1|H2|H3|H4|H5.

[0897] The steps of the SHA-1 algorithm are now examined in greaterdetail.

[0898] 6.2.1 Step 1. Preprocessing

[0899] The first step of SHA-1 is to pad the input message to be amultiple of 512 bits as follows and to initialize the chainingvariables. TABLE 5 Steps to follow to preprocess the input message Padthe input message Append a 1 bit to the message Append 0 bits such thatthe length of the padded message is 64-bits short of a multiple of 512bits. Append a 64-bit value containing the length in bits of theoriginal input message. Store the length as most significant bit throughto least significant bit. Initialize the chaining variables H₁

h₁, H₂ {umlaut over ( )} h₂, H₃

h₃, H₄

h₄, H₅

h₅

[0900] 6.2.2 Step 2. Processing

[0901] The padded input message can now be processed.

[0902] We process the message in 512-bit blocks. Each 512-bit block isin the form of 16×32-bit words, referred to as InputWord₀₋₁₅. TABLE 6Steps to follow for each 512 bit block (InputWord₀₋₁₅) Copy the 512 Forj=0 to 15 input bits into X_(j) = InputWord_(j) X₀₋₁₅ Expand X₀₋₁₅ intoFor j=16 to 79 X₁₆₋₇₉ Xj

((X_(j-3) ⊕ X_(j-8) ⊕ X_(j-14) ⊕ X_(j-16)) << 1) Initialize working A

H₁, B

H₂, C

H₃, D

H₄, E

H₅ variables Round 1 For j=0 to 19 t

((A << 5) + f(B, C, D) + E + Xj + y₁) E

D, D

C, C

(B << 30), B

A, A

t Round 2 For j=20 to 39 t

((A << 5) + h(B, C, D) + E + Xj + y₂) E

D, D

C, C

(B << 30), B

A, A

t Round 3 For j=40 to 59 t t

((A << 5) + g(B, C, D) + E + Xj + y₃) E

D, D

C, C

(B << 30), B

A, A

t Round 4 For j=60 to 79 t

((A << 5) + h(B, C, D) + E

Xj + y₄) E

D, D

C, C

(B << 30), B

A, A

t Update chaining H1

_(H1) + A, H₂

H₂ + B, variables H₃

H₃ + C, H₄

H₄ + D, H₅

H₅ + E

[0903] The bold text is to emphasize the differences between each round.

[0904] 6.2.3 Step 3. Completion

[0905] After all the 512-bit blocks of the padded input message havebeen processed, the output hash value is the final 160-bit value givenby: H₁|H₂|H₃|H₄|H₅.

[0906]6.2.4 Optimization for Hardware Implementation

[0907] The SHA-1 Step 2 procedure is not optimized for hardware. Inparticular, the 80 temporary 32-bit registers use up valuable silicon ona hardware implementation. This section describes an optimization to theSHA-1 algorithm that only uses 16 temporary registers. The reduction insilicon is from 2560 bits down to 512 bits, a saving of over 2000 bits.It may not be important in some applications, but in the authenticationchip storage space must be reduced where possible.

[0908] The optimization is based on the fact that although the original16-word message block is expanded into an 80-word message block, the 80words are not updated during the algorithm. In addition, the words relyon the previous 16 words only, and hence the expanded words can becalculated on-the-fly during processing, as long as we keep 16 words forthe backward references. We require rotating counters to keep track ofwhich register we are up to using, but the effect is to save a largeamount of storage.

[0909] Rather than index X by a single value j, we use a 5 bit counterto count through the iterations. This can be achieved by initializing a5-bit register with either 16 or 20, and decrementing it until itreaches 0. In order to update the 16 temporary variables as if they were80, we require 4 indexes, each a 4-bit register. All 4 indexes increment(with wraparound) during the course of the algorithm. TABLE 7 OptimisedSteps to follow for each 512 bit block (InputWord₀₋₁₅) Initialize A

H₁, B

H₂, C

H₃, D

H₄, E

H₅ working N₁

13, N₂

8, N₃

2, N₄

0 variables Round 0 Do 16 times Copy the X_(N4) = InputWordN4 512 input[

N₁,

N₂,

N₃]_(optional)

N₄ bits into X₀₋₁₅ Round 1A Do 16 times t

((A << 5) + f(B, C, D) + E + X_(N4) + y1) [

N₁,

N₂,

N

]_(optional)

N₄ E

D, D

C, C

(B << 30), B

A, A

t Round 1B Do 4 times X_(N4)

((XN1 ⊕ XN2 ⊕ XN3 ⊕ XN4) << 1) t

((A << 5) + f(B, C, D) + E + X_(N4) + y₁)

N₁,

N₂,

N₃,

N₄ E

D, D

C, C

(B << 30), B

A, A

t Round 2 Do 20 times X_(N4)

((XN1 ⊕ XN2 ⊕ XN3 ⊕ XN4) << 1) t

((A << 5) + h(B, C, D) + E + XN4 + y₂)

N₁,

N₂,

N₃,

N₄ E

D, D

C, C

(B << 30), B

A, A

t Round 3 Do 20 times XN4

((XN1 ⊕ XN2 ⊕ XN3 ⊕ XN4) << 1) t

((A << 5) + g(B, C, D) + E + X_(N4) + y₃)

N₁,

N₂,

N₃,

N₄ E

D, D

C, C

(B << 30), B

A, A

t Round 4 Do 20 times X_(N4)

((XN1 ⊕ XN2 ⊕ XN3 ⊕ XN4) << 1) t

((A << 5) + h(B, C, D) + E + X_(N4) + y₄)

N1,

N2,

N3,

N4 E

D, D

C, C

(B << 30), B

A, A

t Update H₁

H₁ + A, H₂

H₂ + B, chaining H₃

H₃ + C, H₄

H₄ + D, variables H₅

H₅ + E

[0910] The bold text is to emphasize the differences between each round.

[0911] The incrementing of N₁, N₂, and N₃ during Rounds 0 and 1A isoptional. A software implementation would not increment them, since ittakes time, and at the end of the 16 times through the loop, all 4counters will be their original values. Designers of hardware may wishto increment all 4 counters together to save on control logic.

[0912] Round 0 can be completely omitted if the caller loads the 512bits of X₀₋₁₅.

[0913] 6.3 HMAC-SHA1

[0914] In the authentication chip implementation, the HMAC-SHA1 unitonly ever performs hashing on two types of inputs: on R using K₁ and onR|M using K₂. Since the inputs are two constant lengths, rather thanhave HMAC and SHA-1 as separate entities on chip, they can be combinedand the hardware optimized. The HMAC-SHA1 test cases described by Chengand Glenn [14] will remain valid.

[0915] The padding of messages in SHA-1 Step 1 (a 1 bit, a string of 0bits, and the length of the message) is necessary to ensure thatdifferent messages will not look the same after padding. Since we onlydeal with 2 types of messages, our padding can be constant 0s.

[0916] In addition, the optimized version of the SHA-1 algorithm isused, where only 16 32-bit words are used for temporary storage. These16 registers are loaded directly by the optimized HMAC-SHA1 hardware.

[0917] The Nine 32-bit constants h₁₋₁₅ and y₁₋₄ are still required,although the fact that they are constants is an advantage for hardwareimplementation.

[0918] Hardware optimized HMAC-SHA-1 requires a total of 1024 bits ofdata storage:

[0919] Five 32-bit chaining variables are defined: H₁, H₂, H₃, H₄ andH₅.

[0920] Five 32-bit working variables are defined: A, B, C, D, and E.

[0921] Five 32-bit variables for temporary storage and final result:Buff160₁₋₅

[0922] One 32 bit temporary variable is defined: t.

[0923] Sixteen 32-bit temporary registers are defined: X₀₋₁₅.

[0924] The following two sections describe the steps for the two typesof calls to HMAC-SHA1.

[0925] 6.3.1H[R, K₁]

[0926] In the case of producing the keyed hash of R using K₁, theoriginal input message R is a constant length of 160 bits. We cantherefore take advantage of this fact during processing. Rather thanload X₀₋₁₅ during the first part of the SHA-1 algorithm, we load X₀₋₁₅directly, and thereby omit Round 0 of the optimized Process Block (Step2) of SHA-1. The pseudocode takes on the following steps: TABLE 8Calculating H[R, K₁] Step Description Action 1 Process K ⊕ ipad X₀₋₄

K₁ ⊕ 0x363636 . . . 2 X₅₋₁₅

0x363636 . . . 3 H₁₋₅ {umlaut over ( )} h₁₋₅ 4 Process Block 5 Process RX₀₋₄

R 6 X₅₋₁₅

0 7 Process Block 8 Buff160₁₋₅

H₁₋₅ 9 Process K ⊕ opad X₀₋₄

K₁ ⊕ 0x5C5C5C . . . 10 X₅₋₁₅

0x5C5C5C . . . 11 H₁₋₅

h₁₋₅ 12 Process Block 13 Process previous H[x] X₀₋₄

Result 14 X₅₋₁₅

0 15 Process Block 16 Get results Buff160₁₋₅

H₁₋₅

[0927] 6.3.2 H[R|M, K₂]

[0928] In the case of producing the keyed hash of R|M using K₂, theoriginal input message is a constant length of 416 (256+160) bits. Wecan therefore take advantage of this fact during processing. Rather thanload X₀₋₁₅ during the first part of the SHA-1 algorithm, we load X₀₋₁₅directly, and thereby omit Round 0 of the optimized Process Block (Step2) of SHA-1. The pseudocode takes on the following steps: TABLE 9Calculating H[R | M, K₂] Step Description Action 1 Process K ⊕ ipad X₀₋₄

K₂ ⊕ 0x363636 . . . 2 X₅₋₁₅

0x363636 . . . 3 H₁₋₅

h₁₋₅ 4 Process Block 5 Process R | M X₀₋₄

R 6 X₅₋₁₂

M 7 X₁₃₋₁₅

0 8 Process Block 9 Temp

H₁₋₅ 10 Process K ⊕ opad X₀₋₄

K₂ ⊕ 0x5C5C5C . . . 11 X₅₋₁₅

0x5C5C5C . . . 12 H₁₋₅

h₁₋₅ 13 Process Block 14 Process previous H[x] X₀₋₄

Temp 15 X₅₋₁₅

0 16 Process Block 17 Get results Result

H₁₋₅

[0929] 7 Data Storage Integrity

[0930] Each authentication chip contains some non-volatile memory inorder to hold the variables required by Authentication Protocol C1.

[0931] The following non-volatile variables are defined: TABLE 10 Nonvolatile variables required by Protocol C1 Variable Name Size (in bits)Description M[0 . . . 15] 256 16 words (each 16 bits) containing statedata such as serial numbers, media remaining etc. K₁ 160 Key used totransform R during authentication K₂ 160 Key used to transform M duringauthentication R 160 Current random number Access  32 The 16 sets of2-bit AccessMode values Mode[0 . . . 15] for M[n] Checksum 160 S[K₁ |K₂]. Used to verify that K₁ and K₂ have not been tampered with. MinTicks 32 The minimum number of clock ticks between calls to key-basedfunctions SIWritten  1 If set, the secret key information (K₁, K₂, andR) has been written to the chip. If clear, the secret information hasnot been written yet. IsTrusted  1 If set, the RND and TST functions canbe called, but RD and WR functions cannot be called. If clear, the RNDand TST functions cannot be called, but RD and WR functions can becalled. Total bits 962

[0932] Note that if these variables are in Flash memory, it is not asimple matter to write a new value to replace the old. The memory mustbe erased first, and then the appropriate bits set. This has an effecton the algorithms used to change Flash memory based variables. Forexample, Flash memory cannot easily be used as shift registers. Toupdate a Flash memory variable by a general operation, it is necessaryto follow these steps:

[0933] 1. Read the entire N bit value into a general purpose register;

[0934] 2. Perform the operation on the general purpose register;

[0935] 3. Erase the Flash memory corresponding to the variable; and

[0936] 4. Set the bits of the Flash memory location based on the bitsset in the general-purpose register.

[0937] A RESET of the authentication chip has no effect on thesenon-volatile variables.

[0938] 7.1 M and Accessmode

[0939] Variables M[0] through M[15] are used to hold consumable statedata, such as serial numbers, batch numbers, and amount of consumableremaining. Each M[n] register is 16 bits, making the entire M vector 256bits (32 bytes). Clients cannot read from or written to individual M[n]variables. Instead, the entire vector, referred to as M, is read orwritten in a single logical access.

[0940] M can be read using the RD (read) command, and written to via theWR (write) command. The commands only succeed if K₁ and K₂ are bothdefined (SIWritten=1) and the authentication chip is a consumablenon-trusted chip (IsTrusted=0).

[0941] Although M may contain a number of different data types, theydiffer only in their write permissions. Each data type can always beread. Once in client memory, the 256 bits can be interpreted in any waychosen by the client. The entire 256 bits of M are read at one timeinstead of in smaller amounts for reasons of security, as described inSection 5. The different write permissions are outlined in Table 11:TABLE 11 Write Permissions Data Type Access Mode Read Only Can never bewritten to ReadWrite Can always be written to Decrement Only Can only bewritten to if the new value is less than the old value. Decrement Onlyvalues are typically 16-bit or 32-bit values, but can be any multiple of16 bits.

[0942] To accomplish the protection required for writing, a 2-bit accessmode value is defined for each M[n]. The following table defines theinterpretation of the 2-bit access mode bit-pattern: TABLE 12 ActionBits Op Interpretation taken during Write command 00 RW ReadWrite Thenew 16-bit value is always written to M[n]. 01 MSR Decrement Only Thenew 16-bit value is only (Most Significant written to M[n] if it is lessthan Region) the value currently in M[n]. This is used for access to theMost Significant 16 bits of a Decrement Only number. 10 NMSR DecrementOnly (Not The new 16-bit value is only the Most Significant written toM[n] if M[n+1] can Region) also be written. The NMSR access mode allowsmultiple precision values of 32 bits and more (multiples of 16 bits) todecrement. 11 RO Read Only The new 16-bit value is ignored. M[n] is leftunchanged.

[0943] The 16 sets of access mode bits for the 16 M[n] registers aregathered together in a single 32-bit AccessMode register. The 32 bits ofthe AccessMode register correspond to M[n] with n as follows: MSB LSB 1514 13 12 11 10 9 8 7 6 5 4 3 2 1 0

[0944] Each 2-bit value is stored in hi/lo format. Consequently, ifM[0-5] were access mode MSR, with M[6-15] access mode RO, the 32-bitAccessMode register would be:

[0945] 11-11-11-11-11-11-11-11-11-11-01-01-01-01-01-01

[0946] During execution of a WR (write) command, AccessMode[n] isexamined for each M[n], and a decision made as to whether the new M[n]value will replace the old.

[0947] The AccessMode register is set using the authentication chip'sSAM (Set Access Mode) command.

[0948] Note that the Decrement Only comparison is unsigned, so anyDecrement Only values that require negative ranges must be shifted intoa positive range. For example, a consumable with a Decrement Only dataitem range of −50 to 50 must have the range shifted to be 0 to 100. TheSystem must then interpret the range 0 to 100 as being −50 to 50. Notethat most instances of Decrement Only ranges are N to 0, so there is norange shift required.

[0949] For Decrement Only data items, arrange the data in order frommost significant to least significant 16-bit quantities from M[n]onward. The access mode for the most significant 16 bits (stored inM[n]) should be set to MSR. The remaining registers (M[n+1], M[n+2]etc.) should have their access modes set to NMSR.

[0950] If erroneously set to NMSR, with no associated MSR region, eachNMSR region will be considered independently instead of being amulti-precision comparison.

[0951] Examples of allocating M and AccessMode bits can be found inSection 9.

[0952] 7.2 K₁

[0953] K₁ is the 160-bit secret key used to transform R during theauthentication protocol. K₁ is programmed along with K₂, Checksum and Rwith the authentication chip's SSI (Set Secret Information) command.Since K₁ must be kept secret, clients cannot directly read K₁.

[0954] The commands that make use of K₁ are RND and RD. RND returns apair R, SK₁[R] where R is a random number, while RD requires an X,S_(K1)[X] pair as input.

[0955] K₁ is used in the keyed one-way hash function HMAC-SHA1. As suchit should be programmed with a physically generated random number,gathered from a physically random phenomenon. K₁ must NOT be generatedwith a computer-run random number generator. The security of theauthentication chips depends on K₁, K₂ and R being generated in a waythat is not deterministic. For example, to set K₁, a person can toss afair coin 160 times, recording heads as 1, and tails as 0.

[0956] K₁ is automatically cleared to 0 upon execution of a CLR command.It can only be programmed to a non-zero value by the SSI command.

[0957] 7.3 K₂

[0958] K₂ is the 160-bit secret key used to transform M|R during theauthentication protocol. K₂ is programmed along with K₁, Checksum and Rwith the authentication chip's SSI (Set Secret Information) command.Since K₂ must be kept secret, clients cannot directly read K₂.

[0959] The commands that make use of K₂ are RD and TST. RD returns apair M, S_(K2)[M|X] where X was passed in as one of the parameters tothe RD function. TST requires an M, S_(K2)[M|R] pair as input, where Rwas obtained from the authentication chip's RND function.

[0960] K₂ is used in the keyed one-way hash function HMAC-SHA1. As suchit should be programmed with a physically generated random number,gathered from a physically random phenomenon. K₂ must NOT be generatedwith a computer-run random number generator. The security of theauthentication chips depends on K₁, K₂ and R being generated in a waythat is not deterministic. For example, to set K₂, a person can toss afair coin 160 times, recording heads as 1, and tails as 0.

[0961] K₂ is automatically cleared to 0 upon execution of a CLR command.It can only be programmed to a non-zero value by the SSI command.

[0962] 7.4 Checksum

[0963] The Checksum register is a 160-bit number used to verify that K₁and K₂ have not been altered by an attacker. Checksum is programmedalong with K₁ , K₂ and R with the authentication chip's SSI (Set SecretInformation) command. Since Checksum must be kept secret, clients cannotdirectly read Checksum.

[0964] The commands that make use of Checksum are any that make use ofK₁ and K₂—namely RND, RD, and TST. Before calculating any revealed valuebased on K₁ or K₂ a checksum on K₁ and K₂ is calculated and comparedagainst the stored Checksum value. The checksum calculated is the160-bit value S[K₁|K₂].

[0965] If K₁ and K₂ are stored as multilevel Flash memory, the fullmulti-level Flash values should be used for the verification processinstead of just the subset used to represent valid values.

[0966] Checksum is automatically cleared to 0 upon execution of a CLRcommand. It can only be programmed to a non-zero value by the SSIcommand.

[0967] 7.5 R and IsTrusted

[0968] R is a 160-bit random number seed that is programmed along withK₁ and K₂ with the SSI (Set Secret Information) command. R does not haveto be kept secret, since it is given freely to callers via the RNDcommand. However R must be changed only by the authentication chip, andnot set to any chosen value by a caller.

[0969] R is used during the TST command to ensure that the R from theprevious call to RND was used to generate the S_(K2)[M|R] value in thenon-trusted authentication chip (ChipA). Both RND and TST are only usedin trusted authentication chips (ChipT).

[0970] IsTrusted is a 1-bit flag register that determines whether or notthe authentication chip is a trusted chip (ChipT):

[0971] If the IsTrusted bit is set, the chip is considered to be atrusted chip, and hence clients can call RND and TST functions (but notRD or WR).

[0972] If the IsTrusted bit is clear, the chip is not considered to betrusted. Therefore RND and TST functions cannot be called (but RD and WRfunctions can be called instead). System never needs to call RND or TSTon the consumable (since a clone chip would simply return 1 to afunction such as TST, and a constant value for RND).

[0973] The IsTrusted bit has the added advantage of reducing the numberof available R, S_(K1)[R] pairs obtainable by an attacker, yet stillmaintain the integrity of the Authentication protocol. To obtain validR, S_(K1)[R] pairs, an attacker requires a System authentication chip,which is more expensive and less readily available than the consumables.

[0974] Both R and the IsTrusted bit are cleared to 0 by the CLR command.They are both written to by the issuing of the SSI command. TheIsTrusted bit can only set by storing a non-zero seed value in R via theSSI command (R must be non-zero to be a valid LFSR state, so this isquite reasonable). R is changed via a 160-bit maximal period LFSR withtaps on bits 0, 2, 3, and 5, and is changed only by a successful call toTST (where 1 is returned).

[0975] Authentication chips destined to be trusted Chips used in Systems(ChipT) should have their IsTrusted bit set during programming, andauthentication chips used in Consumables (ChipA) should have theirIsTrusted bit kept clear (by storing 0 in R via the SSI command duringprogramming). There is no command to read or write the IsTrusted bitdirectly.

[0976] The logical security of the authentication chip does not onlyrely upon the randomness of K₁ and K₂ and the strength of the HMAC-SHA1algorithm. To prevent an attacker from building a sparse lookup table,the security of the authentication chip also depends on the range of Rover the lifetime of all Systems. What this means is that an attackermust not be able to deduce what values of R there are in produced andfuture Systems. As such R should be programmed with a physicallygenerated random number, gathered from a physically random phenomenon. Rmust NOT be generated with a computer-run random number generator. Thegeneration of R must not be deterministic. For example, to generate an Rfor use in a trusted System chip, a person can toss a fair coin 160times, recording heads as 1, and tails as 0.0 is the only non-validinitial value for a trusted R is 0 (or the IsTrusted bit will not beset).

[0977] 7.6 SIWritten

[0978] The SIWritten (Secret Information Written) 1-bit register holdsthe status of the secret information stored within the authenticationchip. The secret information is K₁, K₂ and R.

[0979] A client cannot directly access the SIWritten bit. Instead, it iscleared via the CLR command (which also clears K₁, K₂ and R). When theauthentication chip is programmed with secret keys and random numberseed using the SSI command (regardless of the value written), theSIWritten bit is set automatically. Although R is strictly not secret,it must be written together with K₁ and K₂ to ensure that an attackercannot generate their own random number seed in order to obtain chosenR, S_(K1)[R] pairs.

[0980] The SIWritten status bit is used by all functions that access K₁, K₂, or R. If the SIWritten bit is clear, then calls to RD, WR, RND,and TST are interpreted as calls to CLR.

[0981] 7.7 MinTicks

[0982] There are two mechanisms for preventing an attacker fromgenerating multiple calls to TST and RD functions in a short period oftime. The first is a clock limiting hardware component that prevents theinternal clock from operating at a speed more than a particular maximum(e.g. 10 MHz). The second mechanism is the 32-bit MinTicks register,which is used to specify the minimum number of clock ticks that mustelapse between calls to key-based functions.

[0983] The MinTicks variable is cleared to 0 via the CLR command. Bitscan then be set via the SMT (Set MinTicks) command. The input parameterto SMT contains the bit pattern that represents which bits of MinTicksare to be set. The practical effect is that an attacker can onlyincrease the value in MinTicks (since the SMT function only sets bits).In addition, there is no function provided to allow a caller to read thecurrent value of this register.

[0984] The value of MinTicks depends on the operating clock speed andthe notion of what constitutes a reasonable time between key-basedfunction calls (application specific). The duration of a single tickdepends on the operating clock speed. This is the maximum of the inputclock speed and the authentication chip's clock-limiting hardware. Forexample, the authentication chip's clock-limiting hardware may be set at10 MHz (it is not changeable), but the input clock is 1 MHz. In thiscase, the value of 1 tick is based on 1 MHz, not 10 MHz. If the inputclock was 20 MHz instead of 1 MHz, the value of 1 tick is based on 10MHz (since the clock speed is limited to 10 MHz).

[0985] Once the duration of a tick is known, the MinTicks value can tobe set. The value for MinTicks is the minimum number of ticks requiredto pass between calls to the key-based RD and TST functions. The valueis a real-time number, and divided by the length of an operating tick.

[0986] Suppose the input clock speed matches the maximum clock speed of10 MHz. If we want a minimum of 1 second between calls to key basedfunctions, the value for MinTicks is set to 10,000,000. Consider anattacker attempting to collect X, S_(K1)[X] pairs by calling RND, RD andTST multiple times. If the MinTicks value is set such that the amount oftime between calls to TST is 1 second, then each pair requires 1 secondto generate. To generate 2²⁵ pairs (only requiring 1.25 GB of storage),an attacker requires more than 1 year. An attack requiring 2⁶⁴ pairswould require 5.84×10¹¹ years using a single chip, or 584 years if 1billion chips were used, making such an attack completely impractical interms of time (not to mention the storage requirements!).

[0987] With regards to K₁, it should be noted that the MinTicks variableonly slows down an attacker and causes the attack to cost more since itdoes not stop an attacker using multiple System chips in parallel.However MinTicks does make an attack on K₂ more difficult, since eachconsumable has a different M (part of M is random read-only data). Inorder to launch a differential attack, minimally different inputs arerequired, and this can only be achieved with a single consumable(containing an effectively constant part of M). Minimally differentinputs require the attacker to use a single chip, and MinTicks causesthe use of a single chip to be slowed down. If it takes a year just toget the data to start searching for values to begin a differentialattack this increases the cost of attack and reduces the effectivemarket time of a clone consumable.

[0988] 8. Authentication Chip Commands

[0989] The System communicates with the authentication chips via asimple operation command set. This section details the actual commandsand parameters necessary for implementation of Protocol C1.

[0990] The authentication chip is defined here as communicating toSystem via a serial interface as a minimum implementation. It is atrivial matter to define an equivalent chip that operates over a widerinterface (such as 8, 16 or 32 bits).

[0991] Each command is defined by 3-bit opcode. The interpretation ofthe opcode can depend on the current value of the IsTrusted bit and thecurrent value of the IsWritten bit.

[0992] The following operations are defined: TABLE 13 AuthenticationChip Commands Op^(a) T^(b) W^(c) Mn^(d) Input Output Description 000 — —CLR — — Clear 001 0 0 SSI [160, 160, 160, 160] — Set Secret Information010 0 1 RD [160, 160] [256, 160] Read M securely 010 1 1 RND — [160,160] Random 011 0 1 WR [256] — Write M 011 1 1 TST [256, 160] [1] Test100 0 1 SAM [32] [32] Set Access Mode 101 — 1 GIT — [1] Get IsTrusted110 — 1 SMT [32] — Set MinTicks

[0993] Any command not defined in this table (for example opcode 111) isinterpreted as NOP (No Operation). This is is regardless of theIsTrusted or IsWritten value, and includes any opcode other than SSIwhen IsWritten=0.

[0994] Note that the opcodes for RD and RND are the same, as are theopcodes for WR and TST. The actual command run upon receipt of theopcode will depend on the current value of the IsTrusted bit (as long asIsWritten is 1). Where the IsTrusted bit is clear, RD and WR functionswill be called. Where the IsTrusted bit is set, RND and TST functionswill be called. The two sets of commands are mutually exclusive betweentrusted and non-trusted authentication chips, and the same opcodesenforces this relationship.

[0995] Each of the commands is examined in detail in the subsequentsections. Note that some algorithms are specifically designed becauseFlash memory is assumed for the implementation of non-volatilevariables.

[0996] 8.1 CLR-CLEAR

[0997] Input: None

[0998] Output: None

[0999] Changes: All

[1000] The CLR (Clear) Command is designed to completely erase thecontents of all authentication chip memory. This includes all keys andsecret information, access mode bits, and state data. After theexecution of the CLR command, an authentication chip will be in aprogrammable state, just as if it had been freshly manufactured. It canbe reprogrammed with a new key and reused.

[1001] A CLR command consists of simply the CLR command opcode. Sincethe authentication chip is serial, this must be transferred one bit at atime. The bit order is LSB to MSB for each command component. A CLRcommand is therefore sent as bits 0-2 of the CLR opcode. A total of 3bits are transferred.

[1002] The CLR command can be called directly at any time.

[1003] The order of erasure is important. SIWritten must be clearedfirst, to disable further calls to key access functions (such as RND,TST, RD and WR). If the AccessMode bits are cleared before SIWritten, anattacker could remove power at some point after they have been cleared,and manipulate M, thereby have a better chance of retrieving the secretinformation with a partial chosen text attack.

[1004] The CLR command is implemented with the following steps: TABLE 14Steps in CLR command Step Action 1 Erase SIWritten, IsTrusted, K₁, K₂,R, M 2 Erase AccessMode, MinTicks

[1005] Once the chip has been cleared it is ready for reprogramming andreuse. A blank chip is of no use to an attacker, since although they cancreate any value for M (M can be read from and written to), key-basedfunctions will not provide any information as K₁ and K₂ will beincorrect.

[1006] It is not necessary to consume any input parameter bits if CLR iscalled for any opcode other than CLR. An attacker will simply have toRESET the chip. The reason for calling CLR is to ensure that all secretinformation has been destroyed, making the chip useless to an attacker.

[1007] 8.2 SSI—Set Secret Information

[1008] Input: K₁, K₂, Checksum, R=[160 bits, 160 bits, 160 bits, 160bits]

[1009] Output: None

[1010] Changes: K₁ , K₂, Checksum, R, SIWritten, IsTrusted

[1011] The SSI (Set Secret Information) command is used to load the K₁,K₂ and associated Checksum variable, the R variable, and to setSIWritten and IsTrusted flags for later calls to RND, TST, RD and WRcommands. An SSI command consists of the SSI command opcode followed bythe secret information to be stored in the K₁ , K₂, Checksum and Rregisters. Since the authentication chip is serial, this must betransferred one bit at a time. The bit order is LSB to MSB for eachcommand component.

[1012] An SSI command is therefore sent as: bits 0-2 of the SSI opcode,followed by bits 0-159 of the new value for K₁, bits 0-159 of the newvalue for K₂, bits 0-159 of the new value for Checksum, and finally bits0-159 of the seed value for R. A total of 643 bits are transferred.

[1013] The K₁, K₂, Checksum, R, SIWritten, and IsTrusted registers areall cleared to 0 with a CLR command. They can only be set using the SSIcommand.

[1014] The SSI command uses the flag SIWritten to store the fact thatdata has been loaded into K₁, K₂, Checksum and R. If the SIWritten andIsTrusted flags are clear (this is the case after a CLR instruction),then K₁, K₂, Checksum and R are loaded with the new values. If eitherflag is set, an attempted call to SSI results in a CLR command beingexecuted, since only an attacker or an erroneous client would attempt tochange keys or the random seed without calling CLR first.

[1015] The SSI command also sets the IsTrusted flag depending on thevalue for R. If R=0, then the chip is considered untrustworthy, andtherefore IsTrusted remains at 0. If R±0, then the chip is consideredtrustworthy, and therefore IsTrusted is set to 1. Note that the settingof the IsTrusted bit only occurs during the SSI command.

[1016] If an authentication chip is to be reused, the CLR command mustbe called first. The keys can then be safely reprogrammed with an SSIcommand, and fresh state information loaded into M using the SAM and WRcommands.

[1017] The SSI command is implemented with the following steps: TABLE 15Steps in SSI command Step Action 1 CLR 2 K₁

Read 160 bits from client 3 K₂

Read 160 bits from client 4 Checksum

Read 160 bits from client 5 R

Read 160 bits from client 6 IF (R ≠ 0) IsTrusted

1 7 SIWritten

1

[1018] The RD (Read) command is used to securely read the entire 256bits of state data (M) from a non-trusted authentication chip. Only avalid authentication chip will respond correctly to the RD request. Theoutput bits from the RD command can be fed as the input bits to the TSTcommand on a trusted authentication chip for verification, with thefirst 256 bits (M) stored for later use if (as we hope) TST returns 1.

[1019] Since the authentication chip is serial, the command and inputparameters must be transferred one bit at a time. The bit order is LSBto MSB for each command component. A RD command is therefore: bits 0-2of the RD opcode, followed by bits 0-159 of X, and bits 0-159 ofS_(K1)[X]. 323 bits are transferred in total. X and S_(K1)[X] areobtained by calling the trusted authentication chip's RND command. The320 bits output by the trusted chip's RND command can therefore be feddirectly into the non-trusted chip's RD command, with no need for thesebits to be stored by System.

[1020] The RD command can only be used when the following conditionshave been met:

[1021] SIWritten=1 indicating that K₁, K₂, Checksum and R have been setup via the SSI command; and

[1022] IsTrusted=0 indicating the chip is not trusted since it is notpermitted to generate random number sequences;

[1023] In addition, calls to RD must wait for the MinTicksRemainingregister to reach 0. Once it has done so, the register is reloaded withMinTicks to ensure that a minimum time will elapse between calls to RD.

[1024] Once MinTicksRemaining has been reloaded with MinTicks, the RDcommand verifies that the keys have not been tampered with. This isaccomplished by internally generating S[K₁|K₂] and comparing againstChecksum. This generation and comparison must take the same amount oftime regardless of whether the keys are correct or not. If the times arenot the same, an attacker can gain information about which bits areincorrect. If the internal verification fails, the CLR function iscalled to clear all the key information and effectively destroy thechip. If K, and K₂ are stored as multilevel Flash memory, the fullmulti-level Flash values should be used for the verification processinstead of just the subset used to represent valid values. For example,if 2-bit multi-level Flash is used, K₁ and K₂ are effectively 320 bitseach instead of 160 for a total of 640 bits.

[1025] Once the internal keys are known to be safe, the RD commandchecks to see if the input parameters are valid. This is accomplished byinternally generating S_(K1)[X] for the input X, and then comparing theresult against the input S_(K1)[X]. This generation and comparison musttake the same amount of time regardless of whether the input parametersare correct or not. If the times are not the same, an attacker can gaininformation about which bits of S_(K1)[X] are incorrect.

[1026] The only way for the input parameters to be invalid is anerroneous System (passing the wrong bits), a case of the wrongconsumable in the wrong System, a bad trusted chip (generating badpairs), or an attack on the authentication chip. A constant value of 0is returned when the input parameters are wrong. The time taken for 0 tobe returned must be the same for all bad inputs so that attackers canlearn nothing about what was invalid.

[1027] Once the input parameters have been verified the output valuesare calculated. The 256 bit content of M are transferred in thefollowing order: bits 0-15 of M[0], bits 0-15 of M[1], through to bits0-15 of M[15]. S_(K2)[X|M] is calculated and output as bits 0-159.

[1028] The R register is used to store the X value during the validationof the X, S_(K1)[X] pair. This is because RND and RD are mutuallyexclusive.

[1029] The RD command is implemented with the following steps: TABLE 16Steps in RD command Step Action 1 IF (MinTicksRemaining ≠ 0) GOTO 1 2MinTicksRemaining

MinTicks 3 Hash

Calculate S_(K1)[K₁ | K₂] 4 OK

(Hash = Checksum) Note that this operation must take constant time so anattacker cannot determine anything about the validity of particular bitsof Hash. 5 IF (

OK) GOTO CLR 6 R

Read 160 bits from client 7 Hash

Calculate S_(K1)[R] 8 OK

(Hash = next 160 bits from client) Note that this operation must takeconstant time so an attacker cannot determine how much of their guess iscorrect. 9 IF (OK) Output 256 bits of M to client ELSE Output 256 bitsof 0 to client 10 Hash

Calculate S_(K2)[R | M] 11 IF (OK) Output 160 bits of Hash to clientELSE Output 160 bits of 0 to client

[1030] The RND (Random) command is used by a client to obtain a valid R,S_(K1)[R] pair for use in a subsequent authentication via the RD and TSTcommands. Since there are no input parameters, an RND command istherefore simply bits 0-2 of the RND opcode.

[1031] The RND command can only be used when the following conditionshave been met:

[1032] SIWritten=1 indicating that K₁, K₂, Checksum and R have been setup via the SSI command; and

[1033] IsTrusted=1 indicating the chip is permitted to generate randomnumber sequences.

[1034] RND returns both R and S_(K1)[R] to the caller.

[1035] The 288-bit output of the RND command can be fed straight intothe non-trusted chip's RD command as the input parameters. There is noneed for the client to store them at all, since they are not requiredagain. However the TST command will only succeed if the random numberpassed into the RD command was obtained first from the RND command.

[1036] If a caller only calls RND multiple times, the same R, S_(K1)[R]pair will be returned each time. R will only advance to the next randomnumber in the sequence after a successful call to TST. See TST for moreinformation.

[1037] Before returning any information, the RND command checks toensure that the keys have not been tampered with by calculating S[K₁|K₂]and comparing against Checksum. If the keys have been tampered with thechecksum will fail and CLR is called to erase any key information. If K₁and K₂ are stored as multilevel Flash memory, the full multi-level Flashvalues should be used for the verification process instead of just thesubset used to represent valid values. For example, if 2-bit multi-levelFlash is used, K₁ and K₂ are effectively 320 bits each instead of 160for a total of 640 bits

[1038] The RND command is implemented with the following steps: TABLE 17Steps in RND command Step Action 1 Hash

Calculate S_(K1)[K₁ | K₂] 2 OK

(Hash = Checksum) Note that this operation must take constant time so anattacker cannot determine anything about the validity of particular bitsof Hash. 3 IF (

OK) GOTO CLR 4 Output 160 bits of R to client 5 Hash

Calculate S_(K1)[R] 6 Output 160 bits of Hash to client

[1039] Changes: M, R and MinTicksRemaining (or all registers if attackdetected)

[1040] The TST (Test) command is used to authenticate a read of M from anon-trusted authentication chip. The TST (Test) command consists of theTST command opcode followed by input parameters: X and S_(K2)[R|X].Since the authentication chip is serial, this must be transferred onebit at a time. The bit order is LSB to MSB for each command component.

[1041] A TST command is therefore: bits 0-2 of the TST opcode, followedby bits 0-255 of M, bits 0-159 of S_(K2)[R|M]. 419 bits are transferredin total. Since the last 416 input bits are obtained as the output bitsfrom a RD command to a non-trusted authentication chip, the entire datadoes not even have to be stored by the client. Instead, the bits can bepassed directly to the trusted authentication chip's TST command. Onlythe 256 bits of M should be kept from a RD command.

[1042] The TST command can only be used when the following conditionshave been met:

[1043] SIWritten=1 indicating that K₁, K₂, Checksum and R have been setup via the SSI command; and

[1044] IsTrusted=1 indicating the chip is permitted to generate randomnumber sequences.

[1045] In addition, calls to TST must wait for the MinTicksRemainingregister to reach 0. Once it has done so, the register is reloaded withMinTicks to ensure that a minimum time will elapse between calls to TST.

[1046] The TST command then checks to make sure that the keys have notben tampered. This is accomplished by internally generating S[K₁|K₂] andcomparing against Checksum. This generation and comparison must take thesame amount of time regardless of whether the keys are correct or not.If the times are not the same, an attacker can gain information aboutwhich bits are incorrect. If the internal verification fails, the CLRfunction is called to clear all the key information and effectivelydestroy the chip. If K₁ and K₂ are stored as multilevel Flash memory,the full multi-level Flash values should be used for the verificationprocess instead of just the subset used to represent valid values. Forexample, if 2-bit multi-level Flash is used, K₁ and K₂ are effectively320 bits each instead of 160 for a total of 640 bits

[1047] TST causes the internal M value to be replaced by the input Mvalue. S_(K2)[M |R] is then calculated, and compared against the 160 bitinput hash value. A single output bit is produced: 1 if they are thesame, and 0 if they are different. The use of the internal M value is tosave space on chip, and is the reason why RD and TST are mutuallyexclusive commands. If the output bit is 1, R is updated to be the nextrandom number in the sequence. This forces the caller to use a newrandom number each time RD and TST are called.

[1048] The resultant output bit is not output until the entire inputstring has been compared, so that the time to evaluate the comparison inthe TST function is always the same. Thus no attacker can compareexecution times or number of bits processed before an output is given.

[1049] The next random number is generated from R using a 160-bitmaximal period LFSR (tap selections on bits 5, 3, 2, and 0). The initial160-bit value for R is set up via the SSI command, and can be any randomnumber except 0 (an LFSR filled with Os will produce a never-endingstream of Os). R is transformed by XORing bits 0, 2, 3, and 5 together,and shifting all 160 bits right 1 bit using the XOR result as the inputbit to b₁₅₉. The new R will be returned on the next call to RND. TheLFSR is the same as that shown in FIG. 9.

[1050] Note that the time taken for 0 to be returned from TST must bethe same for all bad inputs so that attackers can learn nothing aboutwhat was invalid about the input.

[1051] The TST command is implemented with the following steps: TABLE 18Steps in TST command Step Action 1 IF (MinTicksRemaining ≠ 0) GOTO 1 2MinTicksRemaining

MinTicks 3 Hash

Calculate SK₁[K₁ | K₂] 4 OK

(Hash = Checksum) Note that this operation must take constant time so anattacker cannot determine anything about the validity of particular bitsof Hash 5 IF ((

OK) OR (R = 0)) GOTO CLR 6 M

Read 256 bits from client 7 Hash

Calculate S_(K2)[R | M] 8 Hash {umlaut over ( )} (Hash = next 160 bitsfrom client) Note that this operation must take constant time so anattacker cannot determine how much of their guess is correct. 9 IF (OK)Temp

R Erase

R Advance TEMP via LFSR R

Temp 10 Ouput 1 bit of OK to client

[1052] Note that we can't simply advance R directly in Step 9 since R isFlash memory, and must be erased in order for any set bit to become 0.If power is removed from the authentication chip during Step 9 aftererasing the old value of R, but before the new value for R has beenwritten, then R will be erased but not reprogrammed. We therefore havethe situation of IsTrusted=1, yet R=0, a situation only possible due toan attacker. Step 5 detects this event (as well as the check of K₁ andK₂), and takes action if the attack is detected.

[1053] The problem can be avoided by having a second 160-bit Flashregister for R and a Validity Bit, toggle after the new value has beenloaded. It has not been included in this implementation for reasons ofspace, but if chip space allows it, an extra 160-bit Flash registerwould be useful for this purpose.

[1054] 8.6 WR-Write

[1055] Input: M_(new)=[256 bits]

[1056] Output: None

[1057] Changes: M

[1058] A WR (Write) command is used to update the writable parts of Mcontaining authentication chip state data. The WR command by itself isnot secure. It must be followed by an authenticated read of M (via a RDcommand) to ensure that the change was made as specified.

[1059] The WR command is called by passing the WR command opcodefollowed by the new 256 bits of data to be written to M. Since theauthentication chip is serial, the new value for M must be transferredone bit at a time. The bit order is LSB to MSB for each commandcomponent. A WR command is therefore: bits 0-2 of the WR opcode,followed by bits 0-15 of M[0], bits 0-15 of M[1], through to bits 0-15of M[15]. 259 bits are transferred in total.

[1060] The WR command can only be used when SIWritten=1, indicating thatK₁, K₂, Checksum and R have been set up via the SSI command (ifSIWritten is 0, then K₁, K₂, Checksum and R have not been setup yet, andthe CLR command is called instead).

[1061] The ability to write to a specific M[n] is governed by thecorresponding Access Mode bits as stored in the AccessMode register. TheAccessMode bits can be set using the SAM command.

[1062] When writing the new value to M[n] the fact that M[n] is Flashmemory must be taken into account. All the bits of M[n] must be erased,and then the appropriate bits set. Since these two steps occur ondifferent cycles, it leaves the possibility of attack open. An attackercan remove power after erasure, but before programming with the newvalue. However, there is no advantage to an attacker in doing this:

[1063] A Read/Write M[n] changed to 0 by this means is of no advantagesince the attacker could have written any value using the WR commandanyway.

[1064] A Read Only M[n] changed to 0 by this means allows an additionalknown text pair (where the M[n] is 0 instead of the original value). Forfuture use M[n] values, they are already 0, so no information is given.

[1065] A Decrement Only M[n] changed to 0 simply speeds up the time inwhich the consumable is used up. It does not give any new information toan attacker that using the consumable would give.

[1066] The WR command is implemented with the following steps: TABLE 19Steps in WR command Step Action 1 DecEncountered

0 EqEncountered

0 n

15 2 Temp

Read 16 bits from client 3 AM

AccessMode[

n] Compare to the previous value 4 LT

(Temp < M[

n]) [comparison is unsigned] EQ

(Temp = M[

n]) 5 WE

(AM = RW)

((AM = MSR)

LT)

((AM = NMSR)

(DecEncountered

LT)) 6 DecEncountered

((AM = MSR)

LT)

((AM = NMSR)

DecEncountered)

((AM = NMSR)

EqEncountered

LT) EqEncountered

((AM = MSR)

EQ)

((AM = NMSR)

EqEncountered

EQ) Advance to the next Access Mode set and write the new M[

n] if applicable 7 IF (WE) Erase M[

n] M[

n

Temp 8

n 9 IF (n ≠ 0) GOTO 2

[1067] The SAM (Set Access Mode) command is used to set the 32 bits ofthe AccessMode register, and is only available for use in consumableauthentication chips (where the IsTrusted flag=0).

[1068] The SAM command is called by passing the SAM command opcodefollowed by a 32-bit value that is used to set bits in the AccessModeregister. Since the authentication chip is serial, the data must betransferred one bit at a time. The bit order is LSB to MSB for eachcommand component. A SAM command is therefore: bits 0-2 of the SAMopcode, followed by bits 0-31 of bits to be set in AccessMode. 35 bitsare transferred in total.

[1069] The AccessMode register is only cleared to 0 upon execution of aCLR command. Since an access mode of 00 indicates an access mode of RW(read/write), not setting any AccessMode bits after a CLR means that allof M can be read from and written to.

[1070] The SAM command only sets bits in the AccessMode register.Consequently a client can change the access mode bits for M[n] from RWto RO (read only) by setting the appropriate bits in a 32-bit word, andcalling SAM with that 32-bit value as the input parameter. This allowsthe programming of the access mode bits at different times, perhaps atdifferent stages of the manufacturing process. For example, the readonly random data can be written to during the initial key programmingstage, while allowing a second programming stage for items such asconsumable serial numbers.

[1071] Since the SAM command only sets bits, the effect is to allow theaccess mode bits corresponding to M[n] to progress from RW to eitherMSR, NMSR, or RO. It should be noted that an access mode of MSR can bechanged to RO, but this would not help an attacker, since theauthentication of M after a write to a doctored authentication chipwould detect that the write was not successful and hence abort theoperation. The setting of bits corresponds to the way that Flash memoryworks best.

[1072] The only way to clear bits in the AccessMode register, forexample to change a Decrement Only M[n] to be Read/Write, is to use theCLR command. The CLR command not only erases (clears) the AccessModeregister, but also clears the keys and all of M.

[1073] Thus the AccessMode[n] bits corresponding to M[n] can onlyusefully be changed once between CLR commands.

[1074] The SAM command returns the new value of the AccessMode register(after the appropriate bits have been set due to the input parameter).By calling SAM with an input parameter of 0, AccessMode will not bechanged, and therefore the current value of AccessMode will be returnedto the caller.

[1075] The SAM command is implemented with the following steps: TABLE 20Steps in SAM command Step Action 1 Temp

Read 32 bits from client 2 SetBits(AccessMode, Temp) 3 Output 32 bits ofAccessMode to client

[1076] The GIT (Get IsTrusted) command is used to read the current valueof the IsTrusted bit on the authentication chip. If the bit returned is1, the authentication chip is a trusted System authentication chip. Ifthe bit returned is 0, the authentication chip is a consumableauthentication chip.

[1077] A GIT command consists of simply the GIT command opcode. Sincethe authentication chip is serial, this must be transferred one bit at atime. The bit order is LSB to MSB for each command component.

[1078] A GIT command is therefore sent as bits 0-2 of the GIT opcode. Atotal of 3 bits are transferred.

[1079] The GIT command is implemented with the following step: TABLE 21Steps in GIT command Step Action 1 Output is Trusted bit to client

[1080] The SMT (Set MinTicks) command is used to set bits in theMinTicks register and hence define the minimum number of ticks that mustpass in between calls to TST and RD. The SMT command is called bypassing the SMT command opcode followed by a 32-bit value that is usedto set bits in the MinTicks register. Since the authentication chip isserial, the data must be transferred one bit at a time. The bit order isLSB to MSB for each command component. An SMT command is therefore: bits0-2 of the SMT opcode, followed by bits 0-31 of bits to be set inMinTicks. 35 bits are transferred in total.

[1081] The MinTicks register is only cleared to 0 upon execution of aCLR command. A value of 0 indicates that no ticks need to pass betweencalls to key-based functions. The functions may therefore be called asfrequently as the clock speed limiting hardware allows the chip to run.

[1082] Since the SMT command only sets bits, the effect is to allow aclient to set a value, and only increase the time delay if further callsare made. Setting a bit that is already set has no effect, and setting abit that is clear only serves to slow the chip down further. The settingof bits corresponds to the way that Flash memory works best.

[1083] The only way to clear bits in the MinTicks register, for exampleto change a value of 10 ticks to a value of 4 ticks, is to use the CLRcommand. However the CLR command clears the MinTicks register to 0 aswell as clearing all keys and M. It is therefore useless for anattacker.

[1084] Thus the MinTicks register can only usefully be changed oncebetween CLR commands.

[1085] The SMT command is implemented with the following steps: TABLE 22Steps in SMT command Step Action 1 Temp

Read 32 bits from client 2 SetBits(MinTicks, Temp)

[1086] 9 Programming Authentication Chips

[1087] Authentication chips must be programmed with logically secureinformation in a physically secure environment. Consequently theprogramming procedures cover both logical and physical security.

[1088] Logical security is the process of ensuring that K₁ , K₂, R, andthe random M[n] values are generated by a physically random process, andnot by a computer. It is also the process of ensuring that the order inwhich parts of the chip are programmed is the most logically secure.

[1089] Physical security is the process of ensuring that the programmingstation is physically secure, so that K₁ and K₂ remain secret, bothduring the key generation stage and during the lifetime of the storageof the keys. In addition, the programming station must be resistant tophysical attempts to obtain or destroy the keys. The authentication chiphas its own security mechanisms for ensuring that K₁ , K₂, and Checksumare kept secret, but the Programming Station must also keep K₁ and K₂safe. The physical security of the programming station is mentionedbriefly here, but has an entire document of its own [85].

[1090]9.1 Overview

[1091] After manufacture, an authentication chip must be programmedbefore it can be used. In all chips values for K₁ and K₂ must beestablished. If the chip is destined to be a System authentication chip,the initial value for R must be determined. If the chip is destined tobe a consumable authentication chip, R must be set to 0, and initialvalues for M and AccessMode must be set up.

[1092] The following stages are therefore identified:

[1093] 0. Manufacture

[1094] 1. Determine Interaction between Systems and Consumables

[1095] 2. Determine Keys for Systems and Consumables

[1096] 3. Determine MinTicks for Systems and Consumables

[1097] 4. Program Keys, Random Seed, MinTicks and Unused M

[1098] 5. Program State Data and Access Modes

[1099] Once the consumable or system is no longer required, the attachedauthentication chip can be reused. This is easily accomplished byreprogrammed the chip starting at Stage 4 again.

[1100] Each of the stages is examined in the subsequent sections.

[1101] 9.2 Stage 0: Manufacture

[1102] Although the manufacture of authentication chips is outlined inSection 10, a number of points can be made here.

[1103] The algorithms and chip process is not special, and requires nospecial security. Standard Flash processes are used.

[1104] At the end of the manufacturing stage, the authentication chipsare tested by being programmed with particular test programs. There isno JTAG test mechanism.

[1105] A theft of authentication chips between the chip manufacturer andprogramming station would only provide the clone manufacturer with blankchips. This merely compromises the sale of authentication chips, notanything authenticated by authentication chips. Since the programmingstation is the only mechanism with consumable and system product keys, aclone manufacturer would not be able to program the chips with thecorrect key. Clone manufacturers would be able to program the blankchips for their own systems and consumables, but it would be difficultto place these items on the market without detection. In addition, asingle theft would be difficult to base a business around.

[1106] 9.3 Stage 1: Determine Interaction Between Systems andConsumables

[1107] The decision of what is a System and what is a Consumable needsto be determined before any authentication chips can be programmed. Adecision needs to be made about which Consumables can be used in whichSystems, since all connected Systems and Consumables must share the samekey information. They also need to share state-data usage mechanismseven if some of the interpretations of that data have not yet beendetermined.

[1108] A simple example is that of a car and car-keys. The car itself isthe System, and the car-keys are the consumables. There are severalcar-keys for each car, each containing the same key information as thespecific car. However each car (System) would contain a different key(shared by its car-keys), since we don't want car-keys from one carworking in another.

[1109] Another example is that of a photocopier that requires aparticular toner cartridge. In simple terms the photocopier is theSystem, and the toner cartridge is the consumable. However the decisionmust be made as to what compatibility there is to be between cartridgesand photocopiers. The decision has historically been made in terms ofthe physical packaging of the toner cartridge: certain cartridges willor won't fit in a new model photocopier based on the design decisionsfor that copier. When authentication chips are used, the components thatmust work together must share the same key information.

[1110] In addition, each type of consumable requires a different way ofdividing M (the state data). Although the way in which M is used willvary from application to application, the method of allocating M[n] andAccessMode[n] will be the same:

[1111] Define the consumable state data for specific use

[1112] Set some M[n] registers aside for future use (if required). Setthese to be 0 and Read Only. The value can be tested for in Systems tomaintain compatibility.

[1113] Set the remaining M[n] registers (at least one, but it does nothave to be M[15]) to be Read Only, with the contents of each M[n]completely random. This is to make it more difficult for a clonemanufacturer to attack the authentication keys (see Section 5).

[1114] The following examples show ways in which the state data may beorganized.

9.3.1 EXAMPLE 1

[1115] Suppose we have a car with associated car-keys. A 16-bit keynumber is more than enough to uniquely identify each car-key for a givencar.

[1116] The 256 bits of M could be divided up as follows: TABLE 23 Car's256 M bits M[n] Access Description 0 RO Key number (16 bits) 1-4 RO Carengine number (64 bits) 5-8 RO For future expansion = 0 (64 bits)  9-15RO Random bit data (112 bits)

[1117] If the car manufacturer keeps all logical keys for all cars, itis a trivial matter to manufacture a new physical car-key for a givencar should one be lost. The new car-key would contain a new Key Numberin M[0], but have the same K₁ and K₂ as the car's authentication chip.

[1118] Car Systems could allow specific key numbers to be invalidated(for example if a key is lost). Such a system might require Key 0 (themaster key) to be inserted first, then all valid keys, then Key 0 again.Only those valid keys would now work with the car. In the worst case,for example if all car-keys are lost, then a new set of logical keyscould be generated for the car and its associated physical car-keys ifdesired.

[1119] The Car engine number would be used to tie the key to theparticular car.

[1120] Future use data may include such things as rental information,such as driver/renter details.

9.3.2 EXAMPLE 2

[1121] Suppose we have a photocopier image unit which should be replacedevery 100,000 copies. 32 bits are required to store the number of pagesremaining.

[1122] The 256 bits of M could be divided up as follows: TABLE 24Photocopier's 256 M bits M[n] Access Description 0 RO Serial number (16bits) 1 RO Batch number (16 bits) 2 MSR Page Count Remaining (32 bits,hi/lo) 3 NMSR 4-7 RO For future expansion = 0 (64 bits)  8-15 RO Randombit data (128 bits)

[1123] If a lower quality image unit is made that must be replaced afteronly 10,000 copies, the 32-bit page count can still be used forcompatibility with existing photocopiers. This allows several consumabletypes to be used with the same system.

9.3.3 EXAMPLE 3

[1124] Consider a Polaroid camera consumable containing 25 photos. A16-bit countdown is all that is required to store the number of photosremaining.

[1125] The 256 bits of M could be divided up as follows: TABLE 25 Camera256 M bits M[n] Access Description 0 RO Serial number (16 bits) 1 ROBatch number (16 bits) 2 MSR Photos Remaining (16 bits) 3-6 RO Forfuture expansion = 0 (64 bits)  7-15 RO Random bit data (144 bits)

[1126] The Photos Remaining value at M[2] allows a number of consumabletypes to be built for use with the same camera System. For example, anew consumable with 36 photos is trivial to program.

[1127] Suppose 2 years after the introduction of the camera, a new typeof camera was introduced. It is able to use the old consumable, but alsocan process a new film type. M[3] can be used to define Film Type. Oldfilm types would be 0, and the new film types would be some new value.New Systems can take advantage of this. Original systems would detect anon-zero value at M[3] and realize incompatibility with new film types.New Systems would understand the value of M[3] and so reactappropriately. To maintain compatibility with the old consumable, thenew consumable and System needs to have the same key information as theold one. To make a clean break with a new System and its own specialconsumables, a new key set would be required.

9.3.4. EXAMPLE 4

[1128] Consider a printer consumable containing 3 inks: cyan, magenta,and yellow. Each ink amount can be decremented separately.

[1129] The 256 bits of M could be divided up as follows: TABLE 26Printer's 256 M bits M[n] Access Description 0 RO Serial number (16bits) 1 RO Batch number (16 bits) 2 MSR Cyan Remaining (32 bits, hi/lo)3 NMSR 4 MSR Magenta Remaining (32 bits, hi/lo) 5 NMSR 6 MSR YellowRemaining (32 bits, hi/lo) 7 NMSR  8-11 RO For future expansion = 0 (64bits) 12-15 RO Random bit data (64 bits)

[1130] Stage 2: Determine Keys for Systems and Consumables

[1131] Once the decision has been made as to which Systems andconsumables are to share the same keys, those keys must be defined. Thevalues for K₁, K₂ and their corresponding Checksum must therefore bedetermined.

[1132] In most cases, K₁ and K₂ will be generated once for all time. AllSystems and consumables that have to work together (both now and in thefuture) need to have the same K₁ and K₂ values. K₁ and K₂ must thereforebe kept secret since the entire security mechanism for theSystem/Consumable combination is made void if the keys are compromised.If the keys are compromised, the damage depends on the number of systemsand consumables, and the ease to which they can be reprogrammed with newnon-compromised keys:

[1133] In the case of a photocopier with toner cartridges, the worstcase is that a clone manufacturer could then manufacture their ownauthentication chips (or worse, buy them), program the chips with theknown keys, and then insert them into their own consumables.

[1134] In the case of a car with car-keys, each car has a different setof keys. This leads to two possible general scenarios. The first is thatafter the car and car-keys are programmed with the keys, K₁ and K₂ aredeleted so no record of their values are kept, meaning that there is noway to compromise K₁ and K₂. However no more car-keys can be made forthat car without reprogramming the car's authentication chip. The secondscenario is that the car manufacturer keeps K₁ and K₂, and new keys canbe made for the car. A compromise of K₁ and K₂ means that someone couldmake a car-key specifically for a particular car.

[1135] The keys and random data used in the authentication chips musttherefore be generated by a means that is non-deterministic (acompletely computer generated pseudo-random number cannot be usedbecause it is deterministic—knowledge of the generator's seed gives allfuture numbers). K₁ and K₂ should be generated by a physically randomprocess, and not by a computer.

[1136] However, random bit generators based on natural sources ofrandomness are subject to influence by external factors and also tomalfunction. It is imperative that such devices be tested periodicallyfor statistical randomness.

[1137] A simple yet useful source of random numbers is the Lavarand®system from SGI [55]. This generator uses a digital camera to photographsix lava lamps every few minutes. Lava lamps contain chaotic turbulentsystems. The resultant digital images are fed into an SHA-1implementation that produces a 7-way hash, resulting in a 160-bit valuefrom every 7th bye from the digitized image. These 7 sets of 160 bitstotal 140 bytes. The 140 byte value is fed into a BBS generator (seeSection 3.6.2 for more information on the Blum-Blum-Shub generator) toposition the start of the output bitstream. The output 160 bits from theBBS would be the key or the authentication chip.

[1138] An extreme example of a non-deterministic random process issomeone flipping a coin 160 times for K₁ and 160 times for K₂ in a cleanroom. With each head or tail, a 1 or 0 is entered on a panel of a KeyProgrammer Device. The process must be undertaken with several observers(for verification) in silence (someone may have a hidden microphone).The point to be made is that secure data entry and storage is not assimple as it sounds. The physical security of the Key Programmer Deviceand accompanying Programming Station requires an entire document of itsown [85].

[1139] Once keys K₁ and K₂ have been determined, and the checksumcalculated, they must be kept for as long as authentication chips needto be made that use the key. In the first car/car-key scenario K₁ and K₂are destroyed after a single System chip and a few consumable chips havebeen programmed. In the case of the photocopier/toner cartridge, K, andK₂ must be retained for as long as the toner-cartridges are being madefor the photocopiers. The keys must be kept securely. See [85] for moreinformation.

[1140] 9.5 Stage 3: Determine MinTicks For Systems and Consumables

[1141] The value of MinTicks depends on the operating clock speed of theauthentication chip (System specific) and the notion of what constitutesa reasonable time between RD or TST function calls (applicationspecific). The duration of a single tick depends on the operating clockspeed. This is the maximum of the input clock speed and theauthentication chip's clock-limiting hardware. For example, theauthentication chip's clock-limiting hardware may be set at 10 MHz (itis not changeable), but the input clock is 1 MHz. In this case, thevalue of 1 tick is based on 1 MHz, not 10 MHz. If the input clock was 20MHz instead of 1 MHz, the value of 1 tick is based on 10 MHz (since theclock speed is limited to 10 MHz).

[1142] Once the duration of a tick is known, the MinTicks value can beset. The value for MinTicks is the minimum number of ticks required topass between calls to RD or RND key-based functions.

[1143] Suppose the input clock speed matches the maximum clock speed of10 MHz. If we want a minimum of 1 second between calls to TST, the valuefor MinTicks is set to 10,000,000. Even a value such as 2 seconds mightbe a completely reasonable value for a System such as a printer (oneauthentication per page, and one page produced every 2 or 3 seconds).

[1144] 9.6 Stage 4: Program Keys, Random Seed, MinTicks and Unused M

[1145] Authentication chips are in an unknown state after manufacture.Alternatively, they have already been used in one consumable, and mustbe reprogrammed for use in another. Each authentication chip must bephysically validated (to ensure it is not a Trojan horse authenticationchip—see Section 10.2.20), cleared, and programmed with new keys and newstate data.

[1146] Validation, clearing and subsequent programming of authenticationchips must take place in a secure Programming Station environment. See[85] for more information about the physical nature of the programmingenvironment. For this section, the Programming Station is consideredphysically secure.

[1147] 9.6.1 Programming a Trusted System Authentication Chip

[1148] If the chip is to be a trusted System chip, a seed value for Rmust be generated. It must be a random number derived from a physicallyrandom process, and must not be 0. The following tasks must beundertaken, in the following order, and in a secure programmingenvironment:

[1149] 1. RESET the chip

[1150] 2. CLR[ ]

[1151] 3. Load R (160 bit register) with physically random data

[1152] 4. SSI[K₁, K₂, Checksum, R]

[1153] 5. SMT[MinTicks_(System)]

[1154] The authentication chip is now ready for insertion into a System.It has been completely programmed.

[1155] If the System authentication chips are stolen at this point, aclone manufacturer could use them to generate R, F_(K1)[R] pairs inorder to launch a known text attack on K₁, or to use for launching apartially chosen-text attack on K₂. This is no different to the purchaseof a number of Systems, each containing a trusted authentication chip.The security relies on the strength of the Authentication protocols andthe randomness of K₁ and K₂.

[1156] 9.6.2 Programming a Non-Trusted Consumable Authentication Chip

[1157] If the chip is to be a non-trusted Consumable authenticationchip, the programming is slightly different to that of the trustedSystem authentication chip. Firstly, the seed value for R must be 0. Itmust have additional programming for M and the AccessMode values. Thefuture use M[n] must be programmed with 0, and the random M[n] must beprogrammed with random data. The following tasks must be undertaken, inthe following order, and in a secure programming environment:

[1158] 1. RESET the chip

[1159] 2. CLR[ ]

[1160] 3. Load R (160 bit register) with 0

[1161] 4. SSI[K₁, K₂, Checksum, R]

[1162] 5. Load X (256 bit register) with 0

[1163] 6. Set bits in X corresponding to appropriate M[n] withphysically random data

[1164] 7. WR[X]

[1165] 8. Load Y (32 bit register) with 0

[1166] 9. Set bits in Y corresponding to appropriate M[n] with Read OnlyAccess Modes

[1167] 10. SAM[Y]

[1168] 11. SMT[MinTicks_(Consumable)]

[1169] The non-trusted consumable chip is now ready to be programmedwith the general state data.

[1170] If the authentication chips are stolen at this point, an attackercould perform a limited chosen text attack. In the best situation, partsof M are Read Only (0 and random data), with the remainder of Mcompletely chosen by an attacker (via the WR command). A number of RDcalls by an attacker obtains F_(K2)[M|R] for a limited M. In the worstsituation, M can be completely chosen by an attacker (since all 256 bitsare used for state data). In both cases however, the attacker cannotchoose any value for R since it is supplied by calls to RND from aSystem authentication chip. The only way to obtain a chosen R is by abrute force attack.

[1171] It should be noted that if Stages 4 and 5 are carried out on thesame Programming Station (the preferred and ideal situation),authentication chips cannot be removed in between the stages. Hencethere is no possibility of the authentication chips being stolen at thispoint. The decision to program the authentication chips at one or twotimes depends on the requirements of the System/Consumable manufacturer.This decision is examined more in Stage 5, and in [85].

[1172] 9.7 Stage 5: Program State Data and Access Modes

[1173] This stage is only required for consumable authentication chips,since M and AccessMode registers cannot be altered on Systemauthentication chips.

[1174] The future use and random values of M[n] have already beenprogrammed in Stage 4. The remaining state data values need to beprogrammed and the associated Access Mode values need to be set. Bear inmind that the speed of this stage will be limited by the value stored inthe MinTicks register.

[1175] This stage is separated from Stage 4 on account of thedifferences either in physical location or in time between where/whenStage 4 is performed, and where/when Stage 5 is performed. Ideally,Stages 4 and 5 are performed at the same time in the same ProgrammingStation.

[1176] Stage 4 produces valid authentication chips, but does not loadthem with initial state values (other than 0). This is to allow theprogramming of the chips to coincide with production line runs ofconsumables. Although Stage 5 can be run multiple times, each timesetting a different state data value and Access Mode value, it is morelikely to be run a single time, setting all the remaining state datavalues and setting all the remaining Access Mode values. For example, aproduction line can be set up where the batch number and serial numberof the authentication chip is produced according to the physicalconsumable being produced. This is much harder to match if the statedata is loaded at a physically different factory.

[1177] The Stage 5 process involves first checking to ensure the chip isa valid consumable chip, which includes a RD to gather the data from theauthentication chip, followed by a WR of the initial data values, andthen a SAM to permanently set the new data values. The steps areoutlined here:

[1178] 1. IsTrusted=GIT[ ]

[1179] 2. If (IsTrusted), exit with error (wrong kind of chip!)

[1180] 3. Call RND on a valid System chip to get a valid input pair

[1181] 4. Call RD on chip to be programmed, passing in valid input pair

[1182] 5. Load X (256 bit register) with results from a RD ofauthentication chip

[1183] 6. Call TST on valid System chip to ensure X and consumable chipare valid

[1184] 7. If (TST returns 0), exit with error (wrong consumable chip forsystem)

[1185] 8. Set bits of X to initial state values

[1186] 9. WR[X]

[1187] 10. Load Y (32 bit register) with 0

[1188] 11. Set bits of Y corresponding to Access Modes for new statevalues

[1189] 12. SAM[Y]

[1190] Of course the validation (Steps 1 to 7) does not have to occur ifStage 4 and 5 follow on from one another on the same ProgrammingStation. But it should occur in all other situations where Stage 5 isrun as a separate programming process from Stage 4.

[1191] If these authentication chips are now stolen, they are alreadyprogrammed for use in a particular consumable. An attacker could placethe stolen chips into a clone consumable. Such a theft would limit thenumber of cloned products to the number of chips stolen. A single theftshould not create a supply constant enough to provide clonemanufacturers with a cost-effective business. The alternative use forthe chips is to save the attacker from purchasing the same number ofconsumables, each with an authentication chip, in order to launch apartially chosen text attack or brute force attack. There is no specialsecurity breach of the keys if such an attack were to occur.

[1192] 10 Manufacture

[1193] This part makes some general comments about the manufacture andimplementation of authentication chips. While the comments presentedhere are general, see [84] for a detailed description of anauthentication chip for Protocol C1.

[1194] The authentication chip algorithms do not constitute a strongencryption device. The net effect is that they can be safelymanufactured in any country (including the USA) and exported to anywherein the world.

[1195] The circuitry of the authentication chip must be resistant tophysical attack. A summary of manufacturing implementation guidelines ispresented, followed by specification of the chip's physical defenses(ordered by attack).

[1196] Note that manufacturing comments are in addition to any legalprotection undertaken, such as patents, copyright, and licenseagreements (for example, penalties if caught reverse engineering theauthentication chip).

[1197] 10.1 Guidelines for Manufacturing

[1198] The following are general guidelines for implementation of anauthentication chip in terms of manufacture (see [84] for a detaileddescription of an authentication chip based on Protocol C1). No specialsecurity is required during the manufacturing process.

[1199] Standard process

[1200] Minimum size (if possible)

[1201] Clock Filter

[1202] Noise Generator

[1203] Tamper Prevention and Detection circuitry

[1204] Protected memory with tamper detection

[1205] Boot circuitry for loading program code

[1206] Special implementation of FETs for key data paths

[1207] Data connections in polysilicon layers where possible

[1208] OverUnderPower Detection Unit

[1209] No test circuitry

[1210] Transparent epoxy packaging

[1211] Finally, as a general note to manufacturers of Systems, the dataline to the System authentication chip and the data line to theConsumable authentication chip must not be the same line. See Section10.2.3.

[1212]10.1.1 Standard Process

[1213] The authentication chip should be implemented with a standardmanufacturing process (such as Flash). This is necessary to:

[1214] allow a great range of manufacturing location options

[1215] take advantage of well-defined and well-behaved technology

[1216] reduce cost

[1217] Note that the standard process still allows physical protectionmechanisms.

[1218] 10.1.2 Minimum Size

[1219] The authentication chip must have a low manufacturing cost inorder to be included as the authentication mechanism for low costconsumables. It is therefore desirable to keep the chip size as low asreasonably possible. Each authentication chip requires 962 bits ofnon-volatile memory. In addition, the storage required for optimizedHMAC-SHA1 is 1024 bits. The remainder of the chip (state machine,processor, CPU or whatever is chosen to implement Protocol C1) must bekept to a minimum in order that the number of transistors is minimizedand thus the cost per chip is minimized. The circuit areas that processthe secret key information or could reveal information about the keyshould also be minimized (see Section 10.1.8 for special data paths).

[1220] 10.1.3 Clock Filter

[1221] The authentication chip circuitry is designed to operate within aspecific clock speed range. Since the user directly supplies the clocksignal, it is possible for an attacker to attempt to introducerace-conditions in the circuitry at specific times during processing. Anexample of this is where a high clock speed (higher than the circuitryis designed for) may prevent an XOR from working properly, and of thetwo inputs, the first may always be returned. These styles of transientfault attacks can be very efficient at recovering secret keyinformation, and have been documented in [5] and [1]. The lesson to belearned from this is that the input clock signal cannot be trusted.

[1222] Since the input clock signal cannot be trusted, it must belimited to operate up to a maximum frequency. This can be achieved anumber of ways.

[1223] In clock filter 100 an edge detect unit 101 passes the edge on toa delay 102, which in turn enables a gate 103 so that the clock signalis able to pass from the input port 104 to the output 105.

[1224]FIG. 10 shows the Clock Filter:

[1225] The delay should be set so that the maximum clock speed is aparticular frequency (e.g. about 4 MHz). Note that this delay is notprogrammable—it is fixed.

[1226] The filtered clock signal would be further divided internally asrequired.

[1227] 10.1.4 Noise Generator

[1228] Each authentication chip should contain a noise generator thatgenerates continuous circuit noise. The noise will interfere with otherelectromagnetic emissions from the chip's regular activities and addnoise to the Idd signal. Placement of the noise generator is not anissue on an authentication chip due to the length of the emissionwavelengths.

[1229] The noise generator is used to generate electronic noise,multiple state changes each clock cycle, and as a source ofpseudo-random bits for the Tamper Prevention and Detection circuitry(see Section 10.1.5).

[1230] A simple implementation of a noise generator is a 64-bit maximalperiod LFSR seeded with a non-zero number. The clock used for the noisegenerator should be running at the maximum clock rate for the chip inorder to generate as much noise as possible.

[1231] 10.1.5 Tamper Prevention and Detection Circuitry

[1232] A set of circuits is required to test for and prevent physicalattacks on the authentication chip. However what is actually detected asan attack may not be an intentional physical attack. It is thereforeimportant to distinguish between these two types of attacks in anauthentication chip:

[1233] where you can be certain that a physical attack has occurred.

[1234] where you cannot be certain that a physical attack has occurred.

[1235] The two types of detection differ in what is performed as aresult of the detection. In the first case, where the circuitry can becertain that a true physical attack has occurred, erasure of Flashmemory key information is a sensible action. In the second case, wherethe circuitry cannot be sure if an attack has occurred, there is stillcertainly something wrong. Action must be taken, but the action shouldnot be the erasure of secret key information. A suitable action to takein the second case is a chip RESET. If what was detected was an attackthat has permanently damaged the chip, the same conditions will occurnext time and the chip will RESET again. If, on the other hand, what wasdetected was part of the normal operating environment of the chip, aRESET will not harm the key.

[1236] A good example of an event that circuitry cannot have knowledgeabout, is a power glitch. The glitch may be an intentional attack,attempting to reveal information about the key. It may, however, be theresult of a faulty connection, or simply the start of a power-downsequence. It is therefore best to only RESET the chip, and not erase thekey. If the chip was powering down, nothing is lost. If the System isfaulty, repeated RESETs will cause the consumer to get the Systemrepaired. In both cases the consumable is still intact.

[1237] A good example of an event that circuitry can have knowledgeabout, is the cutting of a data line within the chip. If this attack issomehow detected, it could only be a result of a faulty chip(manufacturing defect) or an attack. In either case, the erasure of thesecret information is a sensible step to take.

[1238] Consequently each authentication chip should have 2 TamperDetection Lines—one for definite attacks, and one for possible attacks.Connected to these Tamper Detection Lines would be a number of TamperDetection test units, each testing for different forms of tampering. Inaddition, we want to ensure that the Tamper Detection Lines and Circuitsthemselves cannot also be tampered with.

[1239] At one end of the Tamper Detection Line 110 is a source ofpseudo-random bits 111 (clocking at high speed compared to the generaloperating circuitry). The Noise Generator circuit described above is anadequate source. The generated bits pass through two different paths—one112 carries the original data, and the other 113 carries the inverse ofthe data; it having passed through an inverter 114. The wires carryingthese bits are in the layer above the general chip circuitry (forexample, the memory, the key manipulation circuitry etc.). The wiresmust also cover the random bit generator. The bits are recombined at anumber of places via an XOR gate 115. If the bits are different (theyshould be), a 1 is output, and used by the particular unit (for example,each output bit from a memory read should be ANDed with this bit value).The lines finally come together at the Flash memory Erase circuit, wherea complete erasure is triggered by a 0 from the XOR. Attached to theline is a number of triggers, each detecting a physical attack on thechip. Each trigger has oversize nMOS transistors, such as 116, attachedto GND. The Tamper Detection Line physically goes through these NMOStransistors. If the test fails, the trigger causes the Tamper DetectLine to become 0. The XOR test will therefore fail on either this clockcycle or the next one (on average), thus RESETing or erasing the chip.

[1240]FIG. 11 illustrates the basic circuitry of a Tamper Detection Linewith its output connected to either the Erase or RESET circuitry.

[1241] The Tamper Detection Line must go through the drain 120 of anoutput transistor 116 for each test, as illustrated by FIG. 12:

[1242] It is not possible to break the Tamper Detect Line since thiswould stop the flow of 1s and 0s from the random source. The XOR testswould therefore fail. As the Tamper Detect Line physically passesthrough each test, it is not possible to eliminate any particular testwithout breaking the Tamper Detect Line.

[1243] It is important that the XORs take values from a variety ofplaces along the Tamper Detect Lines in order to reduce the chances ofan attack. FIG. 13 illustrates the taking of multiple XORS, indicatedgenerally at 130, from the Tamper Detect Line 110 to be used in thedifferent parts of the chip. Each of these XORs 130 can be considered tobe generating a ChipOK bit that can be used within each unit orsub-unit.

[1244] A sample usage would be to have an OK bit in each unit that isANDed with a given ChipOK bit each cycle. The OK bit is loaded with 1 ona RESET. If OK is 0, that unit will fail until the next RESET. If theTamper Detect Line is functioning correctly, the chip will either RESETor erase all key information. If the RESET or erase circuitry has beendestroyed, then this unit will not function, thus thwarting an attacker.

[1245] The destination of the RESET and Erase line and associatedcircuitry is very context sensitive. It needs to be protected in muchthe same way as the individual tamper tests. There is no pointgenerating a RESET pulse if the attacker can simply cut the wire leadingto the RESET circuitry. The actual implementation will depend very muchon what is to be cleared at RESET, and how those items are cleared.

[1246] The Tamper Lines cover the noise generator circuitry of the chip.The generator and NOT gate are on one level, while the Tamper DetectLines run on a level above the generator.

[1247] 10.1.6 Protected Memory with Tamper Detection

[1248] It is not enough to simply store secret information or programcode in Flash memory. The Flash memory and RAM must be protected from anattacker who would attempt to modify (or set) a particular bit ofprogram code or key information. The mechanism used must conform tobeing used in the Tamper Detection Circuitry (described above).

[1249] The first part of the solution is to ensure that the TamperDetection Line passes directly above each Flash or RAM bit. This ensuresthat an attacker cannot probe the contents of Flash or RAM. A breach ofthe covering wire is a break in the Tamper Detection Line. The breachcauses the Erase signal to be set, thus deleting any contents of thememory. The high frequency noise on the Tamper Detection Line alsoobscures passive observation.

[1250] The second part of the solution for Flash is to use multi-leveldata storage, but only to use a subset of those multiple levels forvalid bit representations. Normally, when multi-level Flash storage isused, a single floating gate holds more than one bit. For example, a4-voltage-state transistor can represent two bits. Assuming a minimumand maximum voltage representing 00 and 11 respectively, the two middlevoltages represent 01 and 10. In the authentication chip, we can use thetwo middle voltages to represent a single bit, and consider the twoextremes to be invalid states. If an attacker attempts to force thestate of a bit one way or the other by closing or cutting the gate'scircuit, an invalid voltage (and hence invalid state) results.

[1251] The second part of the solution for RAM is to use a parity bit.The data part of the register can be checked against the parity bit(which will not match after an attack).

[1252] The bits coming from Flash and RAM can therefore be validated bya number of test units (one per bit) connected to the common TamperDetection Line. The Tamper Detection circuitry would be the firstcircuitry the data passes through (thus stopping an attacker fromcutting the data lines).

[1253] While the multi-level Flash protection is enough for non-secretinformation, such as program code, R, and MinTicks, it is not sufficientfor protecting K₁ and K₂. If an attacker adds electrons to a gate (seeSection 3.8.2.15) representing a single bit of K₁, and the chip boots upyet doesn't activate the Tamper Detection Line, the key bit must havebeen a 0. If it does activate the Tamper Detection Line, it must havebeen a 1. For this reason, all other non-volatile memory can activatethe Tamper Detection Line, but K₁ and K₂ must not. Consequently Checksumis used to check for tampering of K₁ and K₂. A signature of the expandedform of K₁ and K₂ (i.e. 320 bits instead of 160 bits for each of K₁ andK₂) is produced, and the result compared against the Checksum. Anynon-match causes a clear of all key information.

[1254] 10.1.7 Boot Circuitry for Loading Program Code

[1255] Program code should be kept in multi-level Flash instead of ROM,since ROM is subject to being altered in a non-testable way. A bootmechanism is therefore required to load the program code into Flashmemory (Flash memory is in an indeterminate state after manufacture).

[1256] The boot circuitry must not be in ROM—a small state-machine wouldsuffice. Otherwise the boot code could be modified in an undetectableway.

[1257] The boot circuitry must erase all Flash memory, check to ensurethe erasure worked, and then load the program code. Flash memory must beerased before loading the program code. Otherwise an attacker could putthe chip into the boot state, and then load program code that simplyextracted the existing keys. The state machine must also check to ensurethat all Flash memory has been cleared (to ensure that an attacker hasnot cut the Erase line) before loading the new program code.

[1258] The loading of program code must be undertaken by the secureProgramming Station before secret information (such as keys) can beloaded. This step must be undertaken as the first part of theprogramming process described in Section 9.6.

[1259] 10.1.8 Special Implementation of FETs for Key Data Paths

[1260] The normal situation for FET implementation for the case of aCMOS Inverter 140, which involves a pMOS transistor 141 combined with annMOS transistor 142 as shown in FIG. 14.

[1261]FIG. 15 is the voltage/current diagram for the CMOS inverter 140.During the transition, there is a small period of time 150 where boththe NMOS transistor 142 and the pMOS transistor 141 have an intermediateresistance. The resultant power-ground short circuit causes a temporaryincrease in the current, and in fact accounts for the majority ofcurrent consumed by a CMOS device. A small amount of infrared light isemitted during the short circuit, and can be viewed through the siliconsubstrate (silicon is transparent to infrared light). A small amount oflight is also emitted during the charging and discharging of thetransistor gate capacitance and transmission line capacitance.

[1262] For circuitry that manipulates secret key information, suchinformation must be kept hidden. An alternative non-flashing CMOS 160implementation should therefore be used for all data paths thatmanipulate the key or a partially calculated value that is based on thekey.

[1263] The use of two non-overlapping clocks φ1 and φ2 can provide anon-flashing mechanism. φ1 is connected to a second gate 161 of all nMOStransistors 162, and φ2 is connected to a second gate 163 of all pMOStransistors 164. The transition can only take place in combination withthe clock. Since φ1 and φ2 are non-overlapping, the pMOS and nMOStransistors will not have a simultaneous intermediate resistance. Thesetup is shown in FIG. 16, and the impedance diagram in FIG. 17.

[1264] Finally, regular CMOS inverters can be positioned near criticalnon-Flashing CMOS components. These inverters should take their inputsignal from the Tamper Detection Line above. Since the Tamper DetectionLine operates multiple times faster than the regular operatingcircuitry, the net effect will be a high rate of light-bursts next toeach non-Flashing CMOS component. Since a bright light overwhelmsobservation of a nearby faint light, an observer will not be able todetect what switching operations are occurring in the chip proper. Theseregular CMOS inverters will also effectively increase the amount ofcircuit noise, reducing the SNR and obscuring useful EMI.

[1265] There are a number of side effects due to the use of non-FlashingCMOS:

[1266] The effective speed of the chip is reduced by twice the rise timeof the clock per clock cycle. This is not a problem for anauthentication chip.

[1267] The amount of current drawn by the non-Flashing CMOS is reduced(since the short circuits do not occur). However, this is offset by theuse of regular CMOS inverters.

[1268] Routing of the clocks increases chip area, especially sincemultiple versions of φ1 and φ2 are required to cater for differentlevels of propagation. The estimation of chip area is double that of aregular implementation.

[1269] Design of the non-Flashing areas of the authentication chip areslightly more complex than to do the same with a with a regular CMOSdesign. In particular, standard cell components cannot be used, makingthese areas full custom. This is not a problem for something as small asan authentication chip, particularly when the entire chip does not haveto be protected in this manner.

[1270] 10.1.9 Connections in Polysilicon Layers Where Possible

[1271] Wherever possible, the connections along which the key or secretdata flows, should be made in the polysilicon layers. Where necessary,they can be in metal 1, but must never be in the top metal layer(containing the Tamper Detection Lines).

[1272] 10.1.10 OverUnderPower Detection Unit

[1273] Each authentication chip requires an OverUnderPower DetectionUnit to prevent Power Supply Attacks. An OverUnderPower Detection Unitdetects power glitches and tests the power level against a VoltageReference to ensure it is within a certain tolerance. The Unit containsa single Voltage Reference and two comparators. The OverUnderPowerDetection Unit would be connected into the RESET Tamper Detection Line,thus causing a RESET when triggered.

[1274] A side effect of the OverUnderPower Detection Unit is that as thevoltage drops during a power-down, a RESET is triggered, thus erasingany work registers.

[1275] 10.1.11 No Test Circuitry

[1276] Test hardware on an authentication chip could very easilyintroduce vulnerabilities. As a result, the authentication chip shouldnot contain any BIST or scan paths.

[1277] The authentication chip must therefore be testable with externaltest vectors. This should be possible since the authentication chip isnot complex.

[1278] 10.1.12 Transparent Epoxy Packaging

[1279] The authentication chip needs to be packaged in transparent epoxyso it can be photo-imaged by the programming station to prevent Trojanhorse attacks. The transparent packaging does not compromise thesecurity of the authentication chip since an attacker can fairly easilyremove a chip from its packaging. For more information see Section10.2.20 and [85].

[1280]10.2 Resistance To Physical Attacks

[1281] While this part only describes manufacture in general terms(since this document does not cover a specific implementation of aProtocol C1 authentication chip), we can still make some observationsabout such a chip's resistance to physical attack. A description of thegeneral form of each physical attack can be found in Section 3.8.2.

[1282]10.2.1 Reading ROM

[1283] This attack depends on the key being stored in an addressableROM. Since each authentication chip stores its authentication keys ininternal Flash memory and not in an addressable ROM, this attack isirrelevant.

[1284] 10.2.2 Reverse Engineering the Chip

[1285] Reverse engineering a chip is only useful when the security ofauthentication lies in the algorithm alone. However our authenticationchips rely on a secret key, and not in the secrecy of the algorithm. Ourauthentication algorithm is, by contrast, public, and in any case, anattacker of a high volume consumable is assumed to have been able toobtain detailed plans of the internals of the chip.

[1286] In light of these factors, reverse engineering the chip itself,as opposed to the stored data, poses no threat.

[1287] 10.2.3 Usurping the Authentication Process

[1288] There are several forms this attack can take, each with varyingdegrees of success. In all cases, it is assumed that a clonemanufacturer will have access to both the System and the consumabledesigns.

[1289] An attacker may attempt to build a chip that tricks the Systeminto returning a valid code instead of generating an authenticationcode. This attack is not possible for two reasons. The first reason isthat System authentication chips and Consumable authentication chips,although physically identical, are programmed differently. Inparticular, the RD opcode and the RND opcode are the same, as are the WRand TST opcodes. A System authentication Chip cannot perform a RDcommand since every call is interpreted as a call to RND instead. Thesecond reason this attack would fail is that separate serial data linesare provided from the System to the System and Consumable authenticationchips. Consequently neither chip can see what is being transmitted to orreceived from the other.

[1290] If the attacker builds a clone chip that ignores WR commands(which decrement the consumable remaining), Protocol C1 ensures that thesubsequent RD will detect that the WR did not occur. The System willtherefore not go ahead with the use of the consumable, thus thwartingthe attacker. The same is true if an attacker simulates loss of contactbefore authentication—since the authentication does not take place, theuse of the consumable doesn't occur.

[1291] An attacker is therefore limited to modifying each System inorder for clone consumables to be accepted (see Section 10.2.4 fordetails of resistance this attack).

[1292] 10.2.4 Modification of System

[1293] The simplest method of modification is to replace the System'sauthentication chip with one that simply reports success for each callto TST. This can be thwarted by System calling TST several times foreach authentication, with the first few times providing false values,and expecting a fail from TST. The final call to TST would be expectedto succeed. The number of false calls to TST could be determined by somepart of the returned result from RD or from the system clock.Unfortunately an attacker could simply rewire System so that the newSystem clone authentication chip can monitor the returned result fromthe consumable chip or clock. The clone System authentication chip wouldonly return success when that monitored value is presented to its TSTfunction. Clone consumables could then return any value as the hashresult for RD, as the clone System chip would declare that value valid.There is therefore no point for the System to call the Systemauthentication chip multiple times, since a rewiring attack will onlywork for the System that has been rewired, and not for all Systems. Formore information see Section 5.2.4.

[1294] A similar form of attack on a System is a replacement of theSystem ROM. The ROM program code can be altered so that theAuthentication never occurs. There is nothing that can be done aboutthis, since the System remains in the hands of a consumer. Of coursethis would void any warranty, but the consumer may consider thealteration worthwhile if the clone consumable were extremely cheap andmore readily available than the original item.

[1295] The System/consumable manufacturer must therefore determine howlikely an attack of this nature is. Such a study must include given thepricing structure of Systems and Consumables, frequency of Systemservice, advantage to the consumer of having a physical modificationperformed, and where consumers would go to get the modificationperformed.

[1296] The likelihood of physical alteration increases with theperceived artificiality of the consumable marketing scheme. It is onething for a consumable to be protected against clone manufacturers. Itis quite another for a consumable's market to be protected by a form ofexclusive licensing arrangement that creates what is viewed by consumersas artificial markets. In the former case, owners are not so likely togo to the trouble of modifying their system to allow a clonemanufacturer's goods. In the latter case, consumers are far more likelyto modify their System. A case in point is DVD. Each DVD is marked witha region code, and will only play in a DVD player from that region. Thusa DVD from the USA will not play in an Australian player, and a DVD fromJapan, Europe or Australia will not play in a USA DVD player. Given thatcertain DVD titles are not available in all regions, or because ofquality differences, pricing differences or timing of releases, manyconsumers have had their DVD players modified to accept DVDs from anyregion. The modification is usually simple (it often involves solderinga single wire), voids the owner's warranty, and often costs the ownersome money. But the interesting thing to note is that the change is notmade so the consumer can use clone consumables—the consumer will stillonly buy real consumables, but from different regions. The modificationis performed to remove what is viewed as an artificial barrier, placedon the consumer by the movie companies. In the same way, aSystem/Consumable scheme that is viewed as unfair will result in peoplemaking modifications to their Systems.

[1297] The limit case of modifying a system is for a clone manufacturerto provide a completely clone System which takes clone consumables. Thismay be simple competition or violation of patents. Either way, it isbeyond the scope of the authentication chip and depends on thetechnology or service being cloned.

[1298] 10.2.5 Direct Viewing of Chip Operation by Conventional Probing

[1299] In order to view the chip operation, the chip must be operating.However, the Tamper Prevention and Detection circuitry covers thosesections of the chip that process or hold the key. It is not possible toview those sections through the Tamper Prevention lines.

[1300] An attacker cannot simply slice the chip past the TamperPrevention layer, for this will break the Tamper Detection Lines andcause an erasure of all keys at power-up. Simply destroying the erasurecircuitry is not sufficient, since the multiple ChipOK bits (now all 0)feeding into multiple units within the authentication chip will causethe chip's regular operating circuitry to stop functioning.

[1301] To set up the chip for an attack, then, requires the attacker todelete the Tamper Detection lines, stop the Erasure of Flash memory, andsomehow rewire the components that relied on the ChipOK lines. Even ifall this could be done, the act of slicing the chip to this level willmost likely destroy the charge patterns in the non-volatile memory thatholds the keys, making the process fruitless.

[1302] 10.2.6 Direct Viewing of the Non-volatile Memory

[1303] If the authentication chip were sliced so that the floating gatesof the Flash memory were exposed, without discharging them, then thekeys could probably be viewed directly using an STM or SKM.

[1304] However, slicing the chip to this level without discharging thegates is probably impossible. Using wet etching, plasma etching, ionmilling, or chemical mechanical polishing will almost certainlydischarge the small charges present on the floating gates. This is trueof regular Flash memory, but even more so of multi-level Flash memory.

[1305] 10.2.7 Viewing the Light Bursts Caused by State Changes

[1306] All sections of circuitry that manipulate secret key informationare implemented in the non-Flashing CMOS described above. This preventsthe emission of the majority of light bursts. Regular CMOS invertersplaced in close proximity to the non-Flashing CMOS will hide any faintemissions caused by capacitor charge and discharge. The inverters areconnected to the Tamper Detection circuitry, so they change state manytimes (at the high clock rate) for each non-Flashing CMOS state change.

[1307] 10.2.8 Viewing the Keys Using an SEPM

[1308] An SEPM attack can be simply thwarted by adding a metal layer tocover the circuitry. However an attacker could etch a hole in the layer,so this is not an appropriate defense.

[1309] The Tamper Detection circuitry described above will shield thesignal as well as cause circuit noise. The noise will actually be agreater signal than the one that the attacker is looking for. If theattacker attempts to etch a hole in the noise circuitry covering theprotected areas, the chip will not function, and the SEPM will not beable to read any data.

[1310] An SEPM attack is therefore fruitless.

[1311] 10.2.9 Monitoring EMI

[1312] The Noise Generator described above will cause circuit noise. Thenoise will interfere with other electromagnetic emissions from thechip's regular activities and thus obscure any meaningful reading ofinternal data transfers.

[1313] 10.2.10 Viewing I_(dd) Fluctuations

[1314] The solution against this kind of attack is to decrease the SNRin the Idd signal. This is accomplished by increasing the amount ofcircuit noise and decreasing the amount of signal.

[1315] The Noise Generator circuit (which also acts as a defense againstEMI attacks) will also cause enough state changes each cycle to obscureany meaningful information in the Idd signal.

[1316] In addition, the special Non-Flashing CMOS implementation of thekey-carrying data paths of the chip prevents current from flowing whenstate changes occur. This has the benefit of reducing the amount ofsignal.

[1317] 10.2.11 Differential Fault Analysis

[1318] Differential fault bit errors are introduced in a non-targetedfashion by ionization, microwave radiation, and environmental stress.The most likely effect of an attack of this nature is a change in Flashmemory (causing an invalid state) or RAM (bad parity). Invalid statesand bad parity are detected by the Tamper Detection Circuitry, and causean erasure of the key.

[1319] Since the Tamper Detection Lines cover the key manipulationcircuitry, any error introduced in the key manipulation circuitry willbe mirrored by an error in a Tamper Detection Line. If the TamperDetection Line is affected, the chip will either continually RESET orsimply erase the key upon a power-up, rendering the attack fruitless.

[1320] Rather than relying on a non-targeted attack and hoping that“just the right part of the chip is affected in just the right way”, anattacker is better off trying to introduce a targeted fault (such asoverwrite attacks, gate destruction etc.). For information on thesetargeted fault attacks, see the relevant sections below.

[1321] 10.2.12 Clock Glitch Attacks

[1322] The Clock Filter (described above) eliminates the possibility ofclock glitch attacks.

[1323] 10.2.13 Power Supply Attacks

[1324] The OverUnderPower Detection Unit (described above) eliminatesthe possibility of power supply attacks.

[1325] 10.2.14 Overwriting ROM

[1326] Authentication chips store program code, keys and secretinformation in Flash memory, and not in ROM. This attack is thereforenot possible.

[1327] 10.2.15 Modifying EEPROM/Flash

[1328] Authentication chips store program code, keys and secretinformation in multi-level Flash memory. However the Flash memory iscovered by two Tamper Prevention and Detection Lines. If either of theselines is broken (in the process of destroying a gate via a laser-cutter)the attack will be detected on power-up, and the chip will either RESET(continually) or erase the keys from Flash memory. This process isdescribed in Section 10.1.6.

[1329] Even if an attacker is able to somehow access the bits of Flashand destroy or short out the gate holding a particular bit, this willforce the bit to have no charge or a full charge. These are both invalidstates for the authentication chip's usage of the multi-level Flashmemory (only the two middle states are valid). When that data value istransferred from Flash, detection circuitry will cause the ErasureTamper Detection Line to be triggered—thereby erasing the remainder ofFlash memory and RESETing the chip. This is true for program code, andnon-secret information. As key data is read from multi-level flashmemory, it is not imediately checked for validity (otherwise informationabout the key is given away). Instead, a specific key validationmechanism is used to protect the secret key information.

[1330] An attacker could theoretically etch off the upper levels of thechip, and deposit enough electrons to change the state of themulti-level Flash memory by ⅓. If the beam is high enough energy itmight be possible to focus the electron beam through the TamperPrevention and Detection Lines. As a result, the authentication chipmust perform a validation of the keys before replying to the Random,Test or Random commands. The SHA-1 algorithm must be run on the keys,and the results compared against an internal checksum value. This givesan attacker a 1 in 2¹⁶⁰ chance of tricking the chip, which is the samechance as guessing either of the keys.

[1331] A Modify EEPROM/Flash attack is therefore fruitless.

[1332] 10.2.16 Gate Destruction Attacks

[1333] Gate Destruction Attacks rely on the ability of an attacker tomodify a single gate to cause the chip to reveal information duringoperation. However any circuitry that manipulates secret information iscovered by one of the two Tamper Prevention and Detection lines. Ifeither of these lines is broken (in the process of destroying a gate)the attack will be detected on power-up, and the chip will either RESET(continually) or erase the keys from Flash memory.

[1334] To launch this kind of attack, an attacker must firstreverse-engineer the chip to determine which gate(s) should be targeted.Once the location of the target gates has been determined, the attackermust break the covering Tamper Detection line, stop the Erasure of Flashmemory, and somehow rewire the components that rely on the ChipOK lines.Rewiring the circuitry cannot be done without slicing the chip, and evenif it could be done, the act of slicing the chip to this level will mostlikely destroy the charge patterns in the non-volatile memory that holdsthe keys, making the process fruitless.

[1335] 10.2.17 Overwrite Attack

[1336] An overwrite attack relies on being able to set individual bitsof the key without knowing the previous value. It relies on probing thechip, as in the conventional probing attack and destroying gates as inthe gate destruction attack. Both of these attacks (as explained intheir respective sections), will not succeed due to the use of theTamper Prevention and Detection Circuitry and ChipOK lines.

[1337] However, even if the attacker is able to somehow access the bitsof Flash and destroy or short out the gate holding a particular bit,this will force the bit to have no charge or a full charge. These areboth invalid states for the authentication chip's usage of themulti-level Flash memory (only the two middle states are valid). Whenthat data value is transferred from Flash detection circuitry will causethe Erasure Tamper Detection Line to be triggered—thereby erasing theremainder of Flash memory and RESETing the chip. In the same way, aparity check on tampered values read from RAM will cause the ErasureTamper Detection Line to be triggered.

[1338] An overwrite attack is therefore fruitless.

[1339] 10.2.18 Memory Remanence Attack

[1340] Any working registers or RAM within the authentication chip maybe holding part of the authentication keys when power is removed. Theworking registers and RAM would continue to hold the information forsome time after the removal of power. If the chip were sliced so thatthe gates of the registers/RAM were exposed, without discharging them,then the data could probably be viewed directly using an STM.

[1341] The first defense can be found above, in the description ofdefense against power glitch attacks. When power is removed, allregisters and RAM are cleared, just as the RESET condition causes aclearing of memory.

[1342] The chances then, are less for this attack to succeed than for areading of the Flash memory. RAM charges (by nature) are more easilylost than Flash memory. The slicing of the chip to reveal the RAM willcertainly cause the charges to be lost (if they haven't been lost simplydue to the memory not being refreshed and the time taken to perform theslicing).

[1343] This attack is therefore fruitless.

[1344] 10.2.19 Chip Theft Attack

[1345] There are distinct phases in the lifetime of an authenticationchip. Chips can be stolen when at any of these stages:

[1346] After manufacture, but before programming of key

[1347] After programming of key, but before programming of state data

[1348] After programming of state data, but before insertion into theconsumable or system

[1349] After insertion into the system or consumable

[1350] A theft in between the chip manufacturer and programming stationwould only provide the clone manufacturer with blank chips. This merelycompromises the sale of authentication chips, not anything authenticatedby the authentication chips. Since the programming station is the onlymechanism with consumable and system product keys, a clone manufacturerwould not be able to program the chips with the correct key. Clonemanufacturers would be able to program the blank chips for their ownSystems and Consumables, but it would be difficult to place these itemson the market without detection.

[1351] The second form of theft can only happen in a situation where anauthentication chip passes through two or more distinct programmingphases. This is possible, but unlikely. In any case, the worst situationis where no state data has been programmed, so all of M is read/write.If this were the case, an attacker could attempt to launch an adaptivechosen text attack on the chip. The HMAC-SHA1 algorithm is resistant tosuch attacks. For more information see Section 5.5.

[1352] The third form of theft would have to take place in between theprogramming station and the installation factory. The authenticationchips would already be programmed for use in a particular system or foruse in a particular consumable. The only use these chips have to a thiefis to place them into a clone System or clone Consumable. Clone systemsare irrelevant—a cloned System would not even require an authenticationchip. For clone Consumables, such a theft would limit the number ofcloned products to the number of chips stolen. A single theft should notcreate a supply constant enough to provide clone manufacturers with acost-effective business.

[1353] The final form of theft is where the System or Consumable itselfis stolen. When the theft occurs at the manufacturer, physical securityprotocols must be enhanced. If the theft occurs anywhere else, it is amatter of concern only for the owner of the item and the police orinsurance company. The security mechanisms that the authentication chipuses assume that the consumables and systems are in the hands of thepublic. Consequently, having them stolen makes no difference to thesecurity of the keys.

[1354] 10.2.20 Trojan Horse Attack

[1355] A Trojan horse attack involves an attacker inserting a fakeauthentication chip into the programming station and retrieving the samechip after it has been programmed with the secret key information. Thedifficulty of these two tasks depends on both logical and physicalsecurity, but is an expensive attack—the attacker has to manufacture afalse authentication chip, and it will only be useful where the effortis worth the gain. For example, obtaining the secret key for a specificcar's authentication chip is most likely not worth an attacker'sefforts, while the key for a printer's ink cartridge may be veryvaluable.

[1356] The problem arises if the programming station is unable to tell aTrojan horse authentication chip from a real one—which is the problem ofauthenticating the authentication chip.

[1357] One solution to the authentication problem is for themanufacturer to have a programming station attached to the end of theproduction line. Chips passing the manufacture QA tests are programmedwith the manufacturer's secret key information. The chip can thereforebe verified by the C1 authentication protocol, and give information suchas the expected batch number, serial number etc. The information can beverified and recorded, and the valid chip can then be reprogrammed withthe System or Consumable key and state data. An attacker would have tosubstitute an authentication chip with a Trojan horse programmed withthe manufacturer's secret key information and copied batch number datafrom the removed authentication chip. This is only possible if themanufacturer's secret key is compromised (the key is changed regularlyand not known by a human) or if the physical security at themanufacturing plant is compromised at the end of the manufacturingchain.

[1358] Even if the solution described were to be undertaken, thepossibility of a Trojan horse attack does not go away—it merely isremoved to the manufacturer's physical location. A better solutionrequires no physical security at the manufacturing location.

[1359] The preferred solution then, is to use transparent epoxy on thechip's packaging and to image the chip before programming it. Once thechip has been mounted for programming it is in a known fixedorientation. It can therefore be high resolution photo-imaged andX-rayed from multiple directions, and the images compared against“signature” images. Any chip not matching the image signature is treatedas a Trojan horse and rejected.

11 REFERENCES

[1360] [1] Anderson, R, and Kuhn, M., 1997, Low Cost Attacks on TamperResistant Devices, Security Protocols, Proceedings 1997, LNCS 1361, B.Christianson, B. Crispo, M. Lomas, M. Roe, Eds., Springer-Verlag, pp.125-136.

[1361] [2] Anderson, R., and Needham, R. M., Programming Satan'sComputer, Computer Science Today, LNCS 1000, pp. 426-441.

[1362] [3] Atkins, D., Graff, M., Lenstra, A. K., and Leyland, P. C.,1995, The Magic Words Are Squeamish Ossifrage, Advances inCryptology—ASIACRYPT '94 Proceedings, Springer-Verlag, pp. 263-277.

[1363] [4] Bains, S., 1997, Optical schemes tried out in IC test—IBM andLucent teams take passive and active paths, respectively, to imaging.EETimes, Dec. 22, 1997.

[1364] [5] Bao, F., Deng, R. H., Yan, Y, Jeng, A., Narasimhalu, A. D.,Ngair, T., 1997, Breaking Public Key Cryptosystems on Tamper ResistantDevices in the Presence of Transient Faults, Security Protocols,Proceedings 1997, LNCS 1361, B. Christianson, B. Crispo, M. Lomas, M.Roe, Eds., Springer-Verlag, pp. 115-124.

[1365] [6] Bellare, M., Canetti, R., and Krawczyk. H., 1996, Keying HashFunctions For Message Authentication, Advances in Cryptology,Proceedings Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag,1996, pp.1-15. Full version:http://www.research.ibm.com/security/keyed-md5.html

[1366] [7] Bellare, M., Canetti, R., and Krawczyk, H., 1996, The HMACConstruction, RSA Laboratories CryptoBytes, Vol. 2, No 1, 1996, pp.12-15.

[1367] [8] Bellare, M., Guérin, R., and Rogaway, P., 1995, XOR MACs: NewMethods For Message Authentication Using Finite Pseudorandom Functions,Advances in Cryptology, Proceedings Crypto'95, LNCS 963, D Coppersmith,Ed., Springer-Verlag, 1995, pp. 15-28.

[1368] [9] Blaze, M., Diffie, W., Rivest, R., Schneier, B., Shimomura,T., Thompson, E., Wiener, M., 1996, Minimal Key Lengths For SymmetricCiphers To Provide Adequate Commercial Security, A Report By an Ad HocGroup of Cryptographers and Computer Scientists, Published on theinternet: http://www.livelinks.com/livelinks/bsa/cryptographers.html

[1369] [10] Blum, L., Blum, M., and Shub, M., A Simple UnpredictablePseudo-random Number Generator, SIAM Journal of Computing, vol 15, no 2,May 1986, pp 364-383.

[1370] [11] Bosselaers, A., and Preneel, B., editors, 1995, IntegrityPrimitives for Secure Information Systems:

[1371] Final Report of RACE Integrity Primitives Evaluation RIPE-RACE1040, LNCS 1007, Springer-Verlag, New York.

[1372] [12] Brassard, G., 1988, Modern Cryptography, a Tutorial, LNCS325, Springer-Verlag.

[1373] [13] Canetti, R., 1997, Towards Realizing Random Oracles: HashFunctions That Hide All Partial Information, Advances in Cryptology,Proceedings Crypto'97, LNCS 1294, B. Kaliski, Ed., Springer-Verlag, pp.455-469.

[1374] [14] Cheng, P., and Glenn, R., 1997, Test Cases for HMAC-MD5 andHMAC-SHA-1, Network Working Group RFC 2202,http://reference.ncrs.usda.gov/ietf/rfc/2300/rfc2202.htm

[1375] [15] Diffie, W., and Hellman, M. E., 1976, MultiuserCryptographic Techniques, AFIPS national Computer Conference,Proceedings '76, pp. 109-112.

[1376] [16] Diffie, W., and Hellman, M. E., 1976, New Directions inCryptography, IEEE Transactions on Information Theory, Volume IT-22, No6 (Nov 1976), pp. 644-654.

[1377] [17] Diffie, W., and Hellman, M. E., 1977, ExhaustiveCryptanalysis of the NBS Data Encryption Standard, Computer, Volume 10,No 6, (Jun 1977), pp. 74-84.

[1378] [18] Dobbertin, H., 1995, Alf Swindles Ann, RSA LaboratoriesCryptoBytes, Volume 1, No 3, p. 5.

[1379] [19] Dobbertin, H, 1996, Cryptanalysis of MD4, Fast SoftwareEncryption-Cambridge Workshop, LNCS 1039, Springer-Verlag, 1996, pp53-69.

[1380] [20] Dobbertin, H, 1996, The Status of MD5 After a Recent Attack,RSA Laboratories CryptoBytes, Volume 2, No 2, pp. 1, 3-6.

[1381] [21] Dreifus, H., and Monk, J. T., 1988, Smart Cards—A Guide toBuilding and Managing Smart Card Applications, John Wiley and Sons.

[1382] [22] ElGamal, T., 1985, A Public-Key Cryptosystem and a SignatureScheme Based on Discrete Logarithms, Advances in Cryptography,Proceedings Crypto'84, LNCS 196, Springer-Verlag, pp. 10-18.

[1383] [23] ElGamal, T., 1985, A Public-Key Cryptosystem and a SignatureScheme Based on Discrete Logarithms, IEEE Transactions on InformationTheory, Volume 31, No 4, pp. 469-472

[1384] [24] Feige, U., Fiat, A, and Shamir, A., 1988, Zero KnowledgeProofs of Identity, J Cryptography, Volume 1, pp. 77-904.

[1385] [25] Feigenbaum, J., 1992, Overview of Interactive Proof Systemsand Zero-Knowledge, Contemporary Cryptology—The Science of InformationIntegrity, G Simmons, Ed., IEEE Press, New York.

[1386] [26] FIPS 46-1, 1977, Data Encryption Standard, NIST, USDepartment of Commerce, Washington D.C., Jan 1977.

[1387] [27] FIPS 180, 1993, Secure Hash Standard, NIST, US Department ofCommerce, Washington D.C., May 1993.

[1388] [28] FIPS 180-1, 1995, Secure Hash Standard, NIST, US Departmentof Commerce, Washington D.C., April 1995.

[1389] [29] FIPS 186, 1994, Digital Signature Standard, NIST, USDepartment of Commerce, Washington D.C., 1994.

[1390] [30] Gardner, M., 1977, A New Kind of Cipher That Would TakeMillions of Years to Break, Scientific American, Vol. 237, No. 8, pp.120-124.

[1391] [31] Girard, P., Roche, F. M., Pistoulet, B., 1986, Electron BeamEffects on VLSI MOS: Conditions for Testing and Reconfiguration,Wafer-Scale Integration, G. Saucier and J. Trihle, Eds., Amsterdam.

[1392] [32] Girard, P., Pistoulet, B., Valenza, M., and Lorival, R.,1987, Electron Beam Switching of Floating Gate MOS Transistors, IFIPInternational Workshop on Wafer Scale International, Brunel University,Sept. 23-25, 1987.

[1393] [33] Goldberg, I., and Wagner, D., 1996, Randomness and theNetscape Browser, Dr. Dobb's Journal, January 1996.

[1394] [34] Guilou, L. G., Ugon, M., and Quisquater, J., 1992, The SmartCard, Contemporary Cryptology—The Science of Information Integrity, GSimmons, Ed., IEEE Press, New York.

[1395] [35] Gutman, P., 1996, Secure Deletion of Data From Magnetic andSolid-State Memory, Sixth USENIX Security Symposium Proceedings (July1996), pp. 77-89.

[1396] [36] Hendry, M., 1997, Smart Card Security and Applications,Artech House, Norwood MA.

[1397] [37] Holgate, S. A., 1998, Sensing is Believing, New Scientist,15 August 1998, p 20.

[1398] [38] Johansson, T., 1997, Bucket Hashing with a Small Key Size,Advances in Cryptology, Proceedings Eurocrypt'97, LNCS 1233, W. Fumy,Ed., Springer-Verlag, pp. 149-162.

[1399] [39] Kahn, D., 1967, The Codebreakers: The Story of SecretWriting, New York: Macmillan Publishing Co.

[1400] [40] Kaliski, B., 1991, Letter to NIST regarding DSS, 4 Nov 1991.

[1401] [41] Kaliski, B., 1998, New Threat Discovered and Fixed, RSALaboratories Web site http://www.rsa.com/rsalabs/pkcs 1

[1402] [42] Kaliski, B., and Robshaw, M, 1995, Message AuthenticationWith MD5, RSA Laboratories CryptoBytes, Volume 1, No 1, pp. 5-8.

[1403] [43] Kaliski, B., and Yin, Y. L., 1995, On Differential andLinear Cryptanalysis of the RC5 Encryption Algorithm, Advances inCryptology, Proceedings Crypto '95, LNCS 963, D. Coppersmith, Ed.,Springer-Verlag, pp. 171-184.

[1404] [44] Klapper, A., and Goresky, M., 1994, 2-Adic Shift Registers,Fast Software Encryption: Proceedings Cambridge Security Workshop '93,LNCS 809, R. Anderson, Ed., Springer-Verlag, pp. 174-178.

[1405] [45] Klapper, A., 1996, On the Existence of Secure FeedbackRegisters, Advances in Cryptology, Proceedings Eurocrypt'96, LNCS 1070,U. Maurer, Ed., Springer-Verlag, pp. 256-267.

[1406] [46] Kleiner, K., 1998, Cashing in on the not so smart cards, NewScientist, 20 June 1998, p 12.

[1407] [47] Knudsen, L. R., and Lai, X., Improved Differential Attackson RC5, Advances in Cryptology, Proceedings Crypto'96, LNCS 1109, N.Koblitz, Ed., Springer-Verlag, 1996, pp.216-228

[1408] [48] Knuth, D. E., 1998, The Art of Computer Programing—Volume2/Seminumerical Algorithms, 3rd edition, Addison-Wesley.

[1409] [49] Krawczyk, H., 1995, New Hash Functions for MessageAuthentication, Advances in Cryptology, Proceedings Eurocrypt'95, LNCS921, L Guillou, J Quisquater, (editors), Springer-Verlag, pp. 301-310.

[1410] [50] Krawczyk, H., 199×, Network Encryption-History and Patents,internet publication:

[1411] http://www.cygnus.com/˜gnu/netcrypt.html

[1412] [51] Krawczyk, H., Bellare, M, Canetti, R., 1997, HMAC: KeyedHashing for message Authentication, Network Working Group RFC 2104,http://lreference.ncrs.usda.gov/ietf/rfc/2200/rfc2104.htm

[1413] [52] Lai, X., 1992, On the Design and Security of Block Ciphers,ETH Series in Information Processing, J. L. Massey (editor), Volume 1,Konstanz: hartung-Gorre Verlag (Zurich).

[1414] [53] Lai, X, and Massey, 1991, J. L, A Proposal for a New BlockEncryption Standard, Advances in Cryptology, Proceedings Eurocrypt'90,LNCS 473, Springer-Verlag, pp. 389404.

[1415] [54] Massey, J. L., 1969, Shift Register Sequences and BCHDecoding, IEEE Transactions on Information Theory, IT-15, pp. 122-127.

[1416] [55] Mende, B., Noll, L., and Sisodiya, S., 1997, How LavarandWorks, Silicon Graphics Incorporated, published on Internet:http://lavarand.sgi.com (also reported in Scientific American, November1997 p. 18, and New Scientist, 8 November 1997).

[1417] [56] Menezes, A. J., van Oorschot, P. C., Vanstone, S. A., 1997,Handbook of Applied Cryptography, CRC Press.

[1418] [57] Merkle, R. C., 1978, Secure Communication Over InsecureChannels, Communications of the ACM, Volume 21, No 4, pp. 294-299.

[1419] [58] Montgomery, P. L., 1985, Modular Multiplication WithoutTrial Division, Mathematics of Computation, Volume 44, Number 170, pp.519-521.

[1420] [59] Moreau, T., A Practical “Perfect” Pseudo-Random NumberGenerator, paper submitted to Computers in Physics on Feb. 27, 1996,Internet version: http://www.connotech.com/BBS.HTM

[1421] [60] Moreau, T., 1997, Pseudo-Random Generators, a High-LevelSurvey-in-Progress, Published on the internet:http://www.cabano.com/connotech/RNG.HTM

[1422] [61] NIST, 1994, Digital Signature Standard, NIST ISL Bulletin,online version at http://csrc.ncsl.nist.gov/nistbul/cs 194-11.txt

[1423] [62] Oehler, M., Glenn, R., 1997, HMAC-MD5 IP Authentication withReplay Prevention, Network Working Group RFC 2085,http://reference.ncrs.usda.gov/ietf/rfc/2100/rfc2085.txt

[1424] [63] Oppliger, R., 1996, Authentication Systems For SecureNetworks, Artech House, Norwood MA.

[1425] [64] Preneel, B., van Oorschot, P. C., 1996, MDx-MAC And BuildingFast MACs From Hash Functions, Advances in Cryptology, ProceedingsCrypto'95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, pp. 1-14.

[1426] [65] Preneel, B., van Oorschot, P. C., 1996, On the Security ofTwo MAC Algorithms, Advances in Cryptology, Proceedings Eurocrypt'96,LNCS 1070, U. Maurer, Ed., Springer-Verlag, 1996, pp. 19-32.

[1427] [66] Preneel, B., Bosselaers, A., Dobbertin, H., 1997, TheCryptographic Hash Function RIPEMD-160, CryptoBytes, Volume 3, No 2,1997, pp. 9-14.

[1428] [67] Rankl, W., and Effing, W., 1997, Smart Card Handbook, JohnWiley and Sons (first published as Handbuch der Chipkarten, Carl HanserVerlag, Munich, 1995).

[1429] [68] Ritter, T., 1991, The Efficient Generation of CryptographicConfusion Sequences, Cryptologia, Volume 15, No 2, pp. 81-139.

[1430] [69] Rivest, R. L, 1993, Dr. Ron Rivest on the Difficulties ofFactoring, Ciphertext: The RSA Newsletter, Vol 1, No 1, pp. 6,8.

[1431] [70] Rivest, R. L., 1991, The MD4 Message-Digest Algorithm,Advances in Cryptology, Proceedings Crypto'90, LNCS 537, S. Vanstone,Ed., Springer-Verlag, pp. 301-311.

[1432] [71] Rivest, R. L., 1992, The RC4 Encryption Algorithm, RSA DataSecurity Inc. (This document has not been made public).

[1433] [72] Rivest, R. L., 1992, The MD4 Message-Digest Algorithm,Request for Comments (RFC) 1320, Internet Activities Board, InternetPrivacy Task Force, April 1992.

[1434] [73] Rivest, R. L., 1992, The MD5 Message-Digest Algorithm,Request for Comments (RFC) 1321, Internet Activities Board, Internetprivacy Task Force.

[1435] [74] Rivest, R. L., 1995, The RC5 Encryption Algorithm, FastSoftware Encryption, LNCS 1008, Springer-Verlag, pp. 86-96.

[1436] [75] Rivest, R. L., Shamir, A., and Adleman, L. M., 1978, AMethod For Obtaining Digital Signatures and Public-Key Cryptosystems,Communications of the ACM, Volume 21, No 2, pp. 120-126.

[1437] [76] Schneier, S., 1994, Description of a New Variable-LengthKey, 64-Bit Block Cipher (Blowfish), Fast Software Encryption (December1993), LNCS 809, Springer-Verlag, pp. 191-204.

[1438] [77] Schneier, S., 1995, The Blowfish Encryption Algorithm—OneYear Later, Dr Dobb's Journal, September 1995.

[1439] [78] Schneier, S., 1996, Applied Cryptography, Wiley Press.

[1440] [79] Schneier, S., 1998, The Blowfish Encryption Algorithm,revision date Feb. 25, 1998, http://www.counterpane.com/blowfish.html

[1441] [80] Schneier, S., 1998, The Crypto Bomb is Ticking, ByteMagazine, May 1998, pp. 97-102.

[1442] [81] Schnorr, C. P., 1990, Efficient Identification andSignatures for Smart Cards, Advances in Cryptology, ProceedingsEurocrypt'89, LNCS 435, Springer-Verlag, pp. 239-252.

[1443] [82] Shamir, A., and Fiat, A., Method, Apparatus and Article ForIdentification and Signature, U.S. Pat. No. 4,748,668, 31 May 1988.

[1444] [83] Shor, W., 1994, Algorithms for Quantum Computation: DiscreteLogarithms and Factoring, Proc. 35th Symposium. Foundations of ComputerScience (FOCS), IEEE Computer Society, Los Alamitos, Calif., 1994.

[1445] [84] Silverbrook Research, 1998, Authentication Chip TechnicalReference.

[1446] [85] Silverbrook Research, 1998, Authentication Chip ProgrammingStation.

[1447] [86] Simmons, G. J., 1992, A Survey of InformationAuthentication, Contemporary Cryptology—The Science of InformationIntegrity, G Simmons, Ed., IEEE Press, New York.

[1448] [87] Tewksbury, S. K., 1998, Architectural Fault Tolerance,Integrated Circuit Manufacturability, Pineda de Gyvez, J., and Pradhan,D. K., Eds., IEEE Press, New York.

[1449] [88] Tsudik, G., 1992, Message Authentication With One-way HashFunctions, Proceedings of Infocom '92 (Also in Access Control and PolicyEnforcement in Internetworks, Ph.D. Dissertation, Computer ScienceDepartment, University of Southern California, April 1991).

[1450] [89] Vallett. D., Kash, J., and Tsang, J., Watching Chips Work,IBM MicroNews, Vol 4, No 1, 1998.

[1451] [90] Vazirani, U. V., and Vazirani, V. V., 1984, Efficient andSecure Random Number Generation, 25th Symposium. Foundations of ComputerScience (FOCS), IEEE Computer Society, 1984, pp. 458-463.

[1452] [91] Wagner, D., Goldberg, I., and Briceno, M., 1998, GSMCloning, ISAAC Research Group, University of California,http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html

[1453] [92] Wiener, M. J., 1997, Efficient DES Key Search—An Update, RSALaboratories CryptoBytes, Volume 3, No 2, pp. 6-8.

[1454] [93] Zoreda, J. L., and Otón, J. M., 1994, Smart Cards, ArtechHouse, Norwood MA.

1. A validation method for determining whether an untrusted chip is valid, or not, including the steps of: generating a secret random number and calculating a signature for the random number using a signature function, in a trusted authentication chip; encrypting the random number and the signature by a symmetric encryption function using a first key, in the trusted authentication chip; passing the encrypted random number and signature from the trusted authentication chip to an untrusted authentication chip; receiving, in the trusted authentication chip, second number, from the untrusted chip, said second number having been generated, in the untrusted chip, by a process including: decrypting the encrypted random number and signature with a symmetric decryption function using the first key; calculating a second signature for the decrypted random number using the signature function, in the untrusted authentication chip; comparing the second signature with the signature decrypted; in the event that the two signatures match, encrypting the decrypted random number by the symmetric encryption function using a second key to produce the second number; in the trusted authentication chip, encrypting the random number by the symmetric encryption function using the second key; in the trusted authentication chip, comparing the random number encrypted using the second key with the second number; in the event that the random numbers encrypted using the second key matches the second number, considering the untrusted chip to be valid; otherwise considering the untrusted chip to be invalid.
 2. The method of claim 1, where the first and second keys are held in both the trusted and untrusted chips, and are kept secret.
 3. The method of claim 1, including a random function to produce random numbers from a seed, the function advancing after each successful validation, so that the next random number will be produced from a new seed.
 4. The method of claim 1, where the symmetric decrypt function is held only in the untrusted chip.
 5. The method of claim 1, where the signature function generates digital signatures of 160 bits.
 6. The method of claim 1, where a prove function is held only in the untrusted chip to test the decrypted random number and signature, and to return the second number if a signature calculated from the decrypted random number matches the decrypted signature; otherwise it returns an indication the chip is invalid.
 7. The method of claim 6, where the time taken to return an indication the chip is invalid is the same for all bad inputs, and the time taken to return the second number is the same for all good inputs.
 8. The method of claim 1, where a test function is held only in the trusted chip to advance the random number if the untrusted chip is valid; otherwise it returns an indication the chip is invalid.
 9. The method of claim 8, where the time taken to return an indication the untrusted chip is invalid is the same for all bad inputs, and the time taken to return an indication the chip is valid is the same for all good inputs.
 10. The method of claim 1, where it is used to determine the physical presence of a valid authentication chip.
 11. A validation system for performing the method of claim 1, where the system includes a trusted authentication chip and an untrusted chip; where the trusted authentication chip includes a random number generator, a symmetric encryption function and two keys for the function, a signature function and a test function; and the untrusted chip includes a symmetric encryption and decryption function and two keys for these functions, a signature function, and a prove function to decrypt a random number and signature encrypted using the first key by the trusted authentication chip, and to calculate another signature from the decrypted random number, for comparison with the decrypted one, and in the event that the comparison is successful to encrypt the random number with the second key and send it back as a second number; the test function in the trusted chip configured to then generate an encrypted version of the random number using the second key and to compare it with the second number to validate the untrusted chip.
 12. A validation system of claim 11, where the remainder of the system is software, hardware or a combination of both, but the trusted chip is a physical authentication chip.
 13. A validation system of claim 11, where both chips have the same internal structure.
 14. A validation system of claim 11, where the first and second keys are kept secret.
 15. A validation system of claim 11, where the trusted authentication chip contains a random function to produce random numbers from a seed, and the function advances after each successful validation, so that the next random number will be produced from a new seed.
 16. A validation system of claim 11, where the signature function generates digital signatures of 160 bits.
 17. A validation system of claim 11, where the prove function returns an indication the chip is invalid for all bad inputs and the time taken to do this is the same for all bad inputs, and the time taken to return the second number is the same for all good inputs.
 18. A validation system of claim 11, where the test function advances the random number if the untrusted chip is validated.
 19. A validation system of claim 11, where the time taken for the test function to return an indication the chip not validated is the same for all bad inputs, and the time taken to return an indication that the chip is validated is the same for all good inputs.
 20. A validation system of claim 11, where it is used to determine the physical presence of a valid authentication chip. 